Vault unlocks first bolt of cloud key management, locks in integrated storage

HashiCorp Vault

Version 1.6 of HashiCorp’s secret management tool Vault is now ready for downloading, and treats enterprise users to a new key management secrets engine and automated storage snapshots.

While earlier versions already included the option of storing Vault’s state for backup and similar purposes, users can now set up configurations for letting the system create those snapshots in regular intervals. Users are free to decide where the snapshots are stored, either locally, or in AWS S3, an Azure blob or Google GCS, how often they are created, how much local space they are allowed to occupy and how many are retained before one gets deleted.

Vault Enterprise contains a Transform Secrets Engine which is used to protect secrets stored outside Vault. To improve safety, the tool’s developers have fitted the engine with a technical preview for tokenization, a procedure for replacing sensitive data with an unrelated value in a way that doesn’t allow for recovery of the original value using only this so-called token.

Another preview unleashed unto the enterprise customer-base is a key management secrets engine. Added to “help manage and securely distribute keys to various cloud KMS services” the experimental feature still has some way to go, as it currently is only able to connect to Azure’s key vault. There, however, Vault is meant to automate key lifecycle operations like writing and rotating keys, making it easier to use an organisation’s own keys on Microsoft’s cloud platform. 

Though most of the more interesting improvements are exclusive to the enterprise variant of Vault, regular users get some useful features as well. Integrated storage for example now comes with a new capability to help servers join a Vault cluster automatically. The function, which is part of retry_join, is called auto_join and looks for integrated storage peers which it can then use for joining.

Version 1.6 also displays the number of active entities per month in the user interface’s metrics session so that those wanting to get a better grasp of the tool’s usage have that information handy. Conveniently, the UI has also been fitted with a plugin discovery page to find official as well as especially helpful community plugins quicker.

Other than that Vault has learned to manage Couchbase credentials, supports custom password policies for all database engines, and allows the migration from one automatic unseal mechanism to another of the same kind. Teams using GitHub or AWS Lambda, meanwhile, will be interested to learn about a new Vault GitHub Action and a Lambda Extension which can be used to inject secrets into workflows or retrieve credentials.
A full list of new features and bugfixes is available via the project’s changelog.