HashiCorp’s Vault gets even more secretive with integrated storage option

HashiCorp’s Vault gets even more secretive with integrated storage option

HashiCorp has pushed out v1.2 of its secret management tool Vault, fitting it with an integrated storage preview amongst other things.

Through the addition of the integrated storage feature, admins don’t necessarily need knowledge of other tools to configure a storage for Vault’s persistent data anymore, but can use an internal option. It makes use of the raft consensus algorithm which can also be found in other HashiCorp tools such as Consul and Nomad. Since it’s a preview feature with use in production not advised, there isn’t any enterprise support yet – it is meant to be added in one of the next versions.

Starting with Vault 1.2, the tool’s identity system can generate OIDC-compliant ID tokens, so that third party applications can verify Vault entities (Vault’s client representation), their group memberships, and identity management system aliases. The integrated database secret engine can now manage and rotate database account credentials for existing users and not only generate new temporary ones.

The release also comes with a plugin to use Pivotal Cloud Foundry certificates for Vault authentication, as well as one to issue short-lived Elasticsearch credentials. To give users a better overview of the APIs available for their requests, the Vault team has added an API explorer to the project’s UI. Other new UI features include an HTTP request volume page and an interface for editing LDAP users and groups.

Vault Enterprise users get a new secret engine from the release. It can be used to let Vault serve as Key Management Interoperability Protocol Server for client requests. KMIP is an open OASIS protocol that helps integrating with other software and hardware platforms for secrets management. Its support in Vault Enterprise 1.2 makes working with older hardware easier as well as facilitating things like key management in “bring your own key” scenarios in multi or hybrid cloud setups.

If you’re working with Vault and AWS, be aware that user-configured regions on the AWSKMS seal stanza will be preferred over those set in the enclosing environment, which could break old setups. A complete list of changes, like Vault switching to Go Modules for dependency management, can be found in the project’s repository.