Announcing HashiCorp Vault 1.6

We are pleased to announce the general availability of HashiCorp Vault 1.6. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.

In this release, we added enhancements to Integrated Storage, added the ability of tokenizing sensitive data to the Transform Secrets Engine, made web UI improvements, and added a new Key Management Secret Engine.

This release includes the following key features and improvements:

• Integrated Storage Cloud Auto-Join: Auto-discover integrated storage peers when working in a cloud environment that can be used by new Vault nodes to automatically join a Vault cluster.
• Integrated Storage Snapshots (Enterprise): Take automated snapshots of the Vault clusters Integrated Storage backend.
• Transform Secrets Engine - Tokenization (Enterprise Tech Preview): The Transform Secrets Engine now supports tokenization to replace sensitive data with unique non-reversible values that are unrelated to the original value in any algorithmic sense.
• Transform UI: Configure FPE and Masking transformations with the new Transform UI, including custom alphabets and patterns for FPE.
• Key Management Secrets Engine (Enterprise Tech Preview): New Key Management Secrets Engine, to manage and securely distribute keys to various cloud key management system (KMS) services. During the tech preview only Azure is supported but we plan to support all major cloud providers shortly.
• Seal Migration: Support for migrating from an auto unseal mechanism to a different mechanism of the same type. For example, if you were using an AWS KMS key to automatically unseal, you can now migrate to a different AWS KMS key.

This release also includes many additional new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.6 changelog provides a list of all changes.

»Integrated Storage Enhancements

We introduced Integrated Storage in Vault 1.2, which allows Vault admins to configure an internal storage option for storing Vault’s persistent data rather than using an external storage backend. With each release, we continue to improve the operational experience and we are pleased to announce two highly requested features:

• Cloud auto-join: Added feature to retry_join, which helps servers automatically join a Vault cluster. This, in addition to working with static IPs (like retry_join), also helps with other discovery mechanisms, such as cloud metadata. We also have a detailed learn guide that explains the auto-join feature.
• Snapshot Agent (for backup and restore): Added an Enterprise command to start a process that takes snapshots of the state of the Vault (Integrated Storage) servers and saves them locally, or pushes them to an optional remote storage service. We also have a detailed learn guide that explains the snapshot feature.

For more information on either of these Integrated Storage enhancements, please see our documentation and a detailed Learn Guide.

»Tokenization Support for Transform Secrets Engine

With Vault 1.6, we added Tokenization support as a technical preview, as well as a way to configure FPE and data masking transformations through the Transform web UI. The Transform Secrets Engine is an Advanced Data Protection (ADP) feature and part of Vault Enterprise used to protect secrets that reside in untrusted or semi-trusted systems outside of Vault through the use of one-way (masking) and two-way transformations via data type protection transformation.

Tokenization can replace sensitive data with unique values (tokens) that are unrelated to the original value in any algorithmic sense. Tokenization is a stateful procedure to facilitate mapping between tokens and various cryptographic values (one-way hash function of the token, encrypted metadata, etc.) including the encrypted plaintext itself.

For more information on Transform Secret Engine, please see our documentation, and a detailed Learn Guide.

»Key Management Secrets Engine

Many cloud providers offer a key management system (KMS), where encryption keys can be issued and stored, for maintaining a root of trust. However, this often leads to manual work when you are looking to bring your own keys so we added a new Key Management Secrets Engine as a technical preview to help manage and securely distribute keys to various cloud KMS services.

This new Key Management Secrets Engine is in technical preview, and only supports Azure at the moment, but we plan to support all major cloud providers shortly. Using this new feature you can use Vault to connect to and manage Azure’s Key Vault, for automating many lifecycle operations, such as writing, reading, updating, and rotating keys. This should greatly simplify the process of bringing your own keys to a cloud provider and managing the lifecycle of those keys.

For more information on Key Management Secrets Engine, please see our documentation and a detailed Learn Guide.

»Other Features

There are many new features in Vault 1.6 that have been developed over the course of the 1.5.x releases. For many of these features you can learn more using detailed hands-on learn guides through the HashiCorp Learn site. We have summarized a few of the larger features below, and you can consult the changelog for full details:

• Linux Repository & Homebrew Packages for Vault: We launched official packages for both Debian and RPM as well as support for Homebrew Tap. Having these packages will provide users with a better installation and upgrade experience.
• Plugin Discovery: Added a plugin discovery page that contains a curated collection of official, partner, and community Vault plugins.
• Vault Secrets in Github Actions: The Vault GitHub Action allows you to take advantage of secrets sourced from your Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows (see our learn guide).
• AWS Lambda Extensions: Similar to the above GitHub Actions, the Vault Lambda Extensions allows for Lambda functions to securely retrieve credentials from a Vault cluster and thus allowing Lambda functions to be Vault unaware.
• Vault Usage Metrics: Vault now counts the number of active entities (and non-entity tokens) per month and makes this information available via the "Metrics" section of the UI (see our learn guide).
• Password Policies: We will extend Password Policies to support all databases so that generated passwords will conform to certain character set rules (see our learn guide).
• Couchbase Database Support: Vault can now manage static and dynamic credentials for Couchbase.
• Transform support in Spring Vault: Extend Spring Vault by adding Transform endpoint support.
• Dropped Support for 32-bit for Darwin Binary: Vault 1.6 will use go 1.15, which has dropped support for 32-bit binaries for Darwin, so we will no longer be issuing darwin_386 builds of Vault.

»Upgrade Details

Vault 1.6 introduces significant new functionality. As such, please review the general upgrade instructions page for details.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found here.

For more information about Vault Enterprise, visit hashicorp.com/products/vault. Users can download the open source version of Vault at vaultproject.io.

We hope you enjoy Vault 1.6.