HashiCorp unlocks Vault 1.4, promises masking, transformations…

HashiCorp unlocks Vault 1.4, promises masking, transformations…

HashiCorp has shipped v1.4 of its Vault secrets management and ID management tool, throwing in a trio of enterprise only features.

These include the Transform Secrets Engine, which the company described as a “major” addition to Vault’s Advanced Data Protection module, and which allows Vault to protect sensitive data such as SSNs and credit card numbers that “reside in untrusted or semi-trusted systems outside of Vault”. 

HashiCorp said the module supports “one-way (masking) and two-way transformations via data type protection” allowing it to handle use cases “typically addressed by tokenization, with high performance cryptography and the full suite of the Vault platform’s high availability and security features.”

Also enterprise only in 1.4 are NetApp Enterprise Key Management Support, and an improved disaster recovery workflow.

The former means Vault can serve as an external key manager for Data ONTAP, allowing it to protect keys for full disk encryption (or FDE) “via NetApp Storage Encryption and at the volume-level via Volume Level Encryption”. The latter speeds up the promotion of a DR Secondary cluster should the DR Primary cluster be lost, through the creation of a DR Batch Token which “will allow the promotion of a DR Secondary without the need for the quorum keyholders.”

While companies often move enterprise features down its tiers over time, Amith Nair, VP of product marketing at HashiCorp, said this was unlikely with the newly introduced enterprise features. Disaster recovery, for example, was not really relevant to developer/practitioners, he said.

Other changes see the previously beta builtin storage engine – Integrated Storage – move to general availability which the firm says should simplify deployment and operations of production Vault clusters. Customers can still use other options – including Consul – if they wish.

There is also a new secrets engine, OpenLDAP Secrets Engine, which allows Vault to manage existing OpenLDAP entities, while the addition of Kerberos auth method allows the verification of applications and users via an existing Kerberos or SPNEGO environment.

The release comes a week after the company, which also develops Terraform, Nomad and Consul, joined the CNCF.

Nair said that it had already been working closely with the CNCF, but that joining the organisation gave its customers a sense of reassurance around issues like integration and early access to code.

There are no plans for any of HashiCorp’s own projects to move under the aegis of the CNCF, he said.