HashiCorp Vault 1.3 adds new debugging command & more
HashiCorp Vault 1.3 changes
The announcement blog reads:
Vault 1.3 is focused on improving Vault’s ability to serve as a platform for credential management workloads for services such as Active Directory and Kubernetes and support global multi-cloud operations with high performance, compliance-regulated workloads.
From the changelog, some of the important changes this time around:
Vault Debug command
The new CLI command vault debug gathers up debugging metrics about a Vault node’s health. This information includes replication status, server status, host information, available memory, server state, etc.
Users can share the metrics with support and engineering teams.
Be aware that the vault debug archive does not natively encrypt information. Users should take caution and only transit the information over encrypted channels, as it may contain sensitive information.
Read more about the feature in the documentation.
SEE ALSO: Is chaos engineering the key to lockdown cybersecurity?
Integrated storage beta improvements
1.3 introduces some beta improvements to Vault’s storage. The improvements include:
- Non-voter nodes
- Secure recovery mode for emergencies
- UI improvements for integrated storage and snapshot management
- Backend improvements for better stability
Since the integrated storage feature is in beta, users should not use it in production workloads.
HashiCorp Vault 1.3 is available today and is packed with new features and functionality, including: Entropy Augmentation, Active Directory Check In/Out, Debug support, Path Filtering, OCI Support, Improved Integrated Storage, and much more! https://t.co/PF9eHCZ2yx pic.twitter.com/9lFZzY1F4w
— HashiCorp (@HashiCorp) November 14, 2019
Enterprise additions
Customers of the enterprise version receive two new features.
SEE ALSO: Containers and security – What are the five biggest myths?
- Entropy Augmentation: This allows Vault to sample entropy. From the release blog: “Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module.” This feature is disabled by default.
- Filtered Path Replication: This feature is based upon Filter Mount Replication, which was added in Vault 0.8. Users can now specify path filters. You can filter namespaces as well as mounts.
View the full list of all changes and fixes in the GitHub changelog.
How secure is Vault?
What about “quantum threats”?
Fear not, Vault has been keeping up. A blog post by Andy Manoske delves deep into how Vault will protect from quantum computers, which continue to grow and become more of a potential security issue.
Quantum mechanics aren’t reserved to your physics classroom or thought experiments anymore. With quantum computers, computers can exploit known algorithms in order to speed up attacks. Efforts against these threats include lattice-based cryptography and ring learning with errors key exchange, which aim to be resistant to quantum computers and provide post-quantum security. (Not to mention the reports have amazing titles, such as Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE.)
Meanwhile, HashiCorp Vault has been tracking the situation. According to Manoske:
Vault’s mission is to secure any kind of information for any kind of infrastructure. As quantum computing becomes part of the infrastructure stack, and quantum threats become part of one’s threat model, we stand ready to adopt new technology in support of our ongoing mission.
Gloss