HashiCorp improves credential management as it releases Vault 1.3

HashiCorp improves credential management as it releases Vault 1.3

HashiCorp’s secrets management tool Vault has been made available in version 1.3, which brings some additional enterprise features and means to help those grappling with the management of active directory credentials sets.

The latter has been realised with Active Directory Secret Check In/Check Out. The feature allows members of a team, or indeed applications, to use one selected service account at a time. Once they are checked back in, passwords are rotated.

Vault operators interested in debugging information related to a particular node can get that via the new top-level subcommand debug. It can probe for config, host, metrics, pprof, server status, and replication status and packages the outputs in a tarball archive. Since some of the data accessed like that can be quite sensitive, the command can only be used with the right set of permissions. If it is used nonetheless, the output will be deleted and a permissions error will be added to the Audit Log.

Since the last release, the Vault team has changed the way activating performance and DR secondary clusters work, and stopped the software from advertising the full TLS Cipher suite by default. The later “could cause false flags on port scanners and other security utilities that assumed insecure ciphers were being used”.

Enterprise users meanwhile can look forward to making use of the newly added entropy augmentation amongst other things. In the context of Vault, entropy describes the statistical randomness for cryptographic operations, which is necessary to make a system’s output harder to predict.

Augmented entropy was designed for environments that have to comply with cryptographic regulations or are meant to work with hardware random number generators for extra safety. It replaces the system entropy Vault normally uses when random number operations have to be performed on critical security parameters such as Vault’s master key or root tokens.

Another enterprise-only addition are path filters that enable users to specify which “secrets within a namespace will be omitted from performance replication”. 

Still in beta but accessible to all Vault users are the improvements to the tool’s integrated storage. They include a reworked user interface to facilitate storage management as well as some performance and stability optimisations. Non-voter storage nodes also help with performance and a recovery mode has been added to handle outages caused by the data store being in a bad state.

The full list of changes can be found in the project’s repository.