HashiCorp Vault 1.3 adds new debugging command & more
HashiCorp Vault is focused on security, secret keeping, data encryption, and identity management. It keeps all your sensitive data, including API keys, passwords, and certificates, under wraps. Version 1.3 has now released to the public. Check out all the new updates made to HashiCorp vault, including some beta improvements, a new debug CLI command, and two new features just for Vault Enterprise.
HashiCorp created Vault with the intention of centrally securing and controlling sensitive data, from passwords to certifications and encryption keys. HashiCorp Vault uses a dynamic infrastructure and authenticates against trusted sources to keep your secrets safe and secure.
It can encrypt sensitive data without storing it, and all secret information stored in Vault has a lease which when expired, then revokes the secret.
On November 14, 2019 the newest version released to the public. HashiCorp Vault version 1.3 includes a few features for Vault Enterprise, as well as some new goodies for the free open source version.
HashiCorp Vault 1.3 changes
Vault 1.3 is focused on improving Vault’s ability to serve as a platform for credential management workloads for services such as Active Directory and Kubernetes and support global multi-cloud operations with high performance, compliance-regulated workloads.
From the changelog, some of the important changes this time around:
Vault Debug command
The new CLI command
vault debug gathers up debugging metrics about a Vault node’s health. This information includes replication status, server status, host information, available memory, server state, etc.
Users can share the metrics with support and engineering teams.
Be aware that the
vault debug archive does not natively encrypt information. Users should take caution and only transit the information over encrypted channels, as it may contain sensitive information.
Read more about the feature in the documentation.
Integrated storage beta improvements
1.3 introduces some beta improvements to Vault’s storage. The improvements include:
- Non-voter nodes
- Secure recovery mode for emergencies
- UI improvements for integrated storage and snapshot management
- Backend improvements for better stability
Since the integrated storage feature is in beta, users should not use it in production workloads.
HashiCorp Vault 1.3 is available today and is packed with new features and functionality, including: Entropy Augmentation, Active Directory Check In/Out, Debug support, Path Filtering, OCI Support, Improved Integrated Storage, and much more! https://t.co/PF9eHCZ2yx pic.twitter.com/9lFZzY1F4w
— HashiCorp (@HashiCorp) November 14, 2019
Customers of the enterprise version receive two new features.
- Entropy Augmentation: This allows Vault to sample entropy. From the release blog: “Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module.” This feature is disabled by default.
- Filtered Path Replication: This feature is based upon Filter Mount Replication, which was added in Vault 0.8. Users can now specify path filters. You can filter namespaces as well as mounts.
View the full list of all changes and fixes in the GitHub changelog.
How secure is Vault?
What about “quantum threats”?
Fear not, Vault has been keeping up. A blog post by Andy Manoske delves deep into how Vault will protect from quantum computers, which continue to grow and become more of a potential security issue.
Quantum mechanics aren’t reserved to your physics classroom or thought experiments anymore. With quantum computers, computers can exploit known algorithms in order to speed up attacks. Efforts against these threats include lattice-based cryptography and ring learning with errors key exchange, which aim to be resistant to quantum computers and provide post-quantum security. (Not to mention the reports have amazing titles, such as Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE.)
Meanwhile, HashiCorp Vault has been tracking the situation. According to Manoske:
Vault’s mission is to secure any kind of information for any kind of infrastructure. As quantum computing becomes part of the infrastructure stack, and quantum threats become part of one’s threat model, we stand ready to adopt new technology in support of our ongoing mission.