With a spruced up infrastructure in place, HashiCorp’s secret management and data protection tool Vault is now available in v1.0.
Secrets can be things like passwords, certificates, and API keys, that need to be stored somewhere without everyone having access to it. Vault takes care of that problem by either securely storing key/value secrets or generating them on demand. It also offers ways of encrypting and decrypting data without actually storing them and revoking secrets in case of intrusions.
The first major release includes new features such as batch tokens that should do especially well for workloads made up of large numbers of single-purpose operations, since they don’t write to disk and therefore reduce the performance cost of operations. If a team decides to migrate its data to another storage backend, Vault now offers an operator migrate command to do so offline. Unused key versions found in keys in the transit secret engine can be trimmed once Vault has been updated and admins are able to set up credential rotation for the AWS secret engine.
To help new users get comfortable in the depths of Vault, there are now wizards in place offering support for configuring the tool and storing secrets. The Vault team also updated the screens for mounting auth methods and secret engines, and made sure that managing the key versioning within the K/V secret engine v2 can be done from the user interface.
A description of mounted backends and endpoint capabilities for a given token’s permission can now be generated through an OpenAPI endpoint. Vault 1.0 is the first version to support the OpenAPI standard, which aims for a vendor neutral description format for API calls.
Those having to manage keys in Google Cloud Platform cloud key management systems, can do so via a new interface. It also facilitates key generation and transit-like decrypt and encrypt operations. Meanwhile users of the Alibaba Cloud will be happy to hear that its Auth Method is now a supported Auto Auth interface. The Alibaba Cloud KMS can serve as a seal-wrap and auto unseal target for Vault 1.0.
Since HashiCorp is known for its open source engagement, the 1.0 release also comes with a new OS component: Cloud Auto Unseal. Unsealing in Vault describes the process of constructing the master key to read the decryption key. Only after that data can be decrypted. Cloud Auto Unseal was originally developed so that enterprises could choose to manage unsealing in Vault with their cloud offering of choice and is now available to all. HSM-based Auto Unseal and Seal-Wrap however will remain reserved for Vault Enterprise users only.
More details can be found in the changelog of the project’s GitHub repository. Vault is an open source project, and an enterprise version with support and additional features is offered by HashiCorp with pricing available on request.