Yesterday, HashiCorp announced HashiCorp Vault 1.0. It is a tool that can be used to manage secrets and protect sensitive data for infrastructures and applications. This first major release focuses on high performance and scalability in workloads.
They are a new type of token with support for ephemeral, high-performance workloads. Batch tokens do not write to disk, and thereby significantly reduce the performance cost of any operations within the Vault. The tradeoff is that batch tokens are not persistent. Therefore they will not be of much use in long-lived or ongoing operations or any operations that require token resiliency.
Due to their ephemeral nature, batch tokens are good for large batches of operations with a single purpose like using a transit secret engine. However, they are not good for operations like persistent secret access within a K/V engine.
Cloud Auto Unseal is open sourced in Vault 1.0. This allows Vault users to leverage cloud services like AWS KMS, Azure Key Vault, and GCP CKMS. It is open sourced to simplify storing and reassembling Shamir's keys for users. HSM-based Auto Unseal and Seal-Wrap will remain as features within Vault Enterprise. They are typically deployed to conform with government and regulatory compliance requirements.
The latest release of Vault supports the OpenAPI standard by the Open API Initiative. This standard provides vendor-neutral description format for API calls. By using the /sys/internal/specs/openapi endpoint, Vault can now generate an OpenAPI v3 document describing mounted backends and endpoint capabilities for a token’s permissions.
There have been significant UI upgrades in vault leading up to 1.0. These upgrades include:
Features for operating Vault with and within Alibaba Cloud is now expanded. In Vault 1.0, Alibaba Cloud KMS is supported as a Seal-Wrap and Auto Unseal target. The Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.
A new secrets engine is added for managing cryptographic operations within GCP CKMS. With this interface, users can perform tasks like transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.
The credential used by the AWS secret engine can be rotated to ensure that only Vault knows the credentials. With a new operator migrate command, users can do offline migration of data between two storage backends. Keys in transit secret engine can be trimmed which allows removal of older unused key versions.
To know more about Vault, visit the HashiCorp website.
Google Titan Security key with secure FIDO two factor authentication is now available for purchase
Google introduces Cloud HSM beta hardware security module for crypto key security
Kubernetes 1.13 released with new features and fixes to a major security flaw