HashiCorp Vault hits 1.0
Now that HashiCorp Vault 1.0 has been released, the company has four projects that have reached 1.0! This release is focused on renovating Vault’s infrastructure to support high performance, scalable workloads. Since Vault 1.0 introduces significant new functionality, they provide both general upgrade instructions, as well as a Vault 1.0-specific upgrade page.
HashiCorp Vault 1.0 is here, which means the company currently has four projects that have reached 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application.
The latest release is a major milestone; since it introduces significant new functionality, the company is offering general upgrade instructions, as well as a Vault 1.0-specific upgrade page. Check out the Vault 1.0 changelog for the full list of features, enhancements, and bug fixes.
You can download Vault 1.0 here.
Before we dive deeper into the goodies included in HashiCorp Vault 1.0, let’s have a look at the journey to Vault 1.0, as explained by Armon Dadgar, HashiCorp founder & co-CTO.
You can find the full transcript here.
HashiCorp Vault 1.0: Highlights
Vault came into being almost four years ago; it was born out of the company’s desire to find out how an organization has a central place to define where all their secrets live. The latest release is focused on renovating Vault’s infrastructure to support high performance, scalable workloads, according to the blog post announcing Vault 1.0.
The list of highlights includes:
- Batch Tokens: A new type of token optimized for high performance, ephemeral workloads.
Their biggest benefit is that since they do not write to disk, the performance cost of any operation within Vault is significantly reduced. However, the downside is that they are not persistent and should not be used for any kind of long-lived or ongoing operation or any operation that requires resiliency of that token in the face of the failure or downtime of the Vault cluster.
Batch tokens are well-suited for large batches of single-purpose operations but ill-suited for operations such as persistent access for secrets within a K/V engine.
- Open Source Cloud Auto Unseal: Cloud-based auto unseal is now open source.
In short, all Vault users can leverage cloud services such as AWS KMS, Azure Key Vault, and GCP CKMS to manage the unseal process for Vault. HashiCorp decided to open source Cloud Auto Unseal in order to make the process of storing and reassembling Shamir’s keys for simple for everyone.
Keep in mind that HSM-based Auto Unseal (via the PKCS#11 standard) and Seal-Wrap will continue to remain features within Vault Enterprise.
- OpenAPI Support: Vault now supports the OpenAPI standard.
The latest release supports the Open API Initiative’s OpenAPI standard. With the
/sys/internal/specs/openapi endpoint, Vault can generate an OpenAPI v3 document that describes mounted backends and endpoint capabilities for a given token’s permissions.
- Updated UI: Significant updates to the Vault UI for better ease of use.
There are a bunch of changes to the Vault UI, including wizards to help introduce new users to common Vault workflows for configuring Vault and storing secrets, updated screens for how users mount auth methods and secret engines, support for managing key versioning within the K/V v2 secrets engine, to name a few. The aim of the updated UI is to ensure that Vault can almost completely be deployed, initialized, and managed from within the Vault UI.
- GCP Cloud KMS Secrets Engine: Manage GCP CKMS keys from within Vault.
With Vault 1.0, the company released a new secrets engine for managing cryptographic operations within Google Cloud Platform’s Cloud Key Management System. This interface allows for transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.