Announcing HashiCorp Vault 1.9

We are pleased to announce the general availability of HashiCorp Vault 1.9. Vault provides secrets management, data encryption, and identity management for any application on any infrastructure.

Vault 1.9 focuses on improving Vault’s core workflows and making key features production-ready to better serve your use cases. In this release, we added the ability for Vault to act as an OpenID Connect (OIDC) provider, made improvements to the Transform data transformation feature, released Google Cloud KMS support for the key management secrets engine, and made many other improvements across the project.

This release includes several key features and improvements:

• Vault as an OIDC provider (tech preview): Support for Vault to act as an OIDC provider so that applications can leverage pre-existing Vault identities for authN into their applications.
• Key management secrets engine for Google Cloud (Enterprise): Google Cloud KMS support — now generally available — to assist with automating many lifecycle operations.
• KV secrets engine v2 patch operations (tech preview): A patch secrets ability for creating a new version of an existing secret without reading the contents of its data.
• Transparent Data Encryption for MSSQL (Enterprise): Support for Vault to manage encryption keys for Transparent Data Encryption (TDE) on MSSQL servers.
• Advanced I/O handling for Transform FPE (Enterprise): Support for transformation templates, which can encode data that may have an optional prefix, dashes, or spaces.
• Namespace API lock (Enterprise): A break-glass procedure to block API access to a specific namespace via new vault namespace lock and vault namespace unlock commands.
• KV secrets engine v2 custom metadata: The ability to set custom metadata for Vault KV v2 secrets via a map structure.
• PKI secrets engine: Updates to the PKI secrets engine UI that display certificate metadata for common names, issue dates, expiration dates, and serial numbers.
• User interface updates: Support for the database secrets engines web UI for Oracle, ElasticSearch, and PostgreSQL.
• Login() support for Go client library: A new backwards-compatible Login function to the Go client library for Vault API, which includes support for Kubernetes, AppRole, Userpass, Amazon Web Services, Microsoft Azure, and Google Cloud authentication methods.
• Custom HTTP response headers: Support for user-defined custom response headers for the root path (/) and API endpoint (/v1/*).
• Client count improvements: UI improvements for displaying clients per namespace, a data export option, and an option to view client totals earlier than month’s end.

This release also includes more new features, workflow enhancements, general improvements, and bug fixes. The Vault 1.9 changelog and release notes list all the changes. Please visit the Vault Learn page for step-by-step tutorials demonstrating the new features.

»Vault as an OIDC Provider (Tech Preview)

OpenID Connect (or OIDC) is an open standard that provides an identity layer on top of OAuth to verify user identity against an authorization server. The OIDC workflow typically involves a user wanting to login to a secure system. Their browser is redirected to an external OIDC identity provider, they complete login against this third-party provider, and they are routed back once they are authenticated. Vault currently supports single sign-on (SSO) with OIDC providers such as Active Directory, Auth0, Google, Okta, and others.

With this release, Vault can now act as an OIDC provider itself, allowing applications to leverage pre-existing Vault identities for delegating authentication and authorization into their applications. For example, HashiCorp Boundary is utilizing Vault as an OIDC provider for delegated authN. This feature has been released as a tech preview so we can gather feedback from the community before finalizing the API.

For more information on Vault as an OIDC provider, please see the Vault documentation on the identity secrets engine (API) and detailed Learn Guide.

»Custom Template Format with Transform

Transform is a Vault Enterprise feature that lets Vault use data transformations and tokenization to protect secrets residing in untrusted or semi-trusted systems. This includes protecting data such as social security numbers, credit card numbers, and other types of compliance-regulated data. Oftentimes, data must reside within file systems or databases for performance but must be protected in case the system in which it resides is compromised. Transform is built for these kinds of use cases.

With Vault 1.9, we added support for advanced encoding and decoding template customizations for data such as Social Security or credit card numbers, where you might want to use format-preserving-encryption (FPE) to preserve whitespace or dash characters. You can now use the new encode_format field to specify what the encoded output should look like. Here is an example of a template for encoding Social Security numbers using a regex that can handle a prefix, whitespace, or dashes:

 vault write transform/template/us-ssn-tmpl \
     type=regex \
     pattern='(?:SSN[: ]?|ssn[: ]?)?(\d{3})[- ]?(\d{2})[- ]?(\d{4})' \
     encode_format='$1-$2-$3' \
     alphabet=builtin/numeric

For more information on advanced handling with Transform, please see our documentation on the Transform secrets engine and detailed Learn Guide.

»Transparent Data Encryption for Microsoft SQL Server

Protecting sensitive data at rest is a fundamental task for database administrators that enables many organizations to follow industry best practices and comply with regulatory requirements. Transparent Data Encryption (TDE) for Microsoft SQL Server performs real-time data and log file encryption and decryption transparently to end user applications.

When using TDE to protect sensitive data, it is critical to manage the keys doing the encryption and decryption or your data could be unrecoverable. These database encryption keys (DEKs), can be protected by asymmetric key encryption keys (KEKs), managed by Vault's Transit secrets engine using SQL Server's Extensible Key Management (EKM). How this works is that you download and install a Vault EKM provider that gets installed on the Microsoft SQL Server, which then enables you to protect these encryption keys using an external Vault Enterprise cluster.

For more information on using Vault as an external EKM provider for SQL Server please see our documentation.

»Key Management Secrets Engine

Many cloud providers offer a key management service (KMS), where encryption keys can be issued and stored for maintaining a root of trust. The key management secrets engine provides an API abstraction layer and offers a standardized workflow for distribution and lifecycle management of cryptographic keys in various KMS providers. It allows organizations to greatly simplify the lifecycle management of keys Vault has distributed and maintains centralized control of those keys in Vault, while still taking advantage of cryptographic capabilities native to the KMS providers.

In addition to supporting both AWS KMS and Microsoft Azure Key Vault, we are happy to announce that the key management secrets engine is now also ready for production use with Google Cloud KMS. This feature lets you use Vault to manage keys in Google Cloud KMS for automating many lifecycle operations, such as creation, reading, updating, and rotating keys. This greatly simplifies the process of bringing your own keys to a cloud provider and managing the lifecycle of those keys.

For more information on the key management secrets engine, please see the key management secrets engine documentation and detailed Learn Guide.

»Other Features

There are many new features in Vault 1.9 that have been developed over the course of the 1.8.x releases. You can learn more about how to use these features in detailed, hands-on Learn Guides on the HashiCorp Learn site. We have summarized a few of the larger features here, consult the changelog for full details:

• Vault Terraform provider: We upgraded the Vault Terraform provider to the latest version of the Terraform Plugin SDKv2 to leverage new features.
• Microsoft Azure secrets engine: We added a use_microsoft_graph_api configuration parameter for using Microsoft Graph API, since the Azure Active Directory API is being removed on June 30, 2022.

»Upgrade Details

Vault 1.9 introduces significant new functionality. As such, please review the general upgrade instructions page, as well as the deprecation and plans page for further details.

As always, we recommend upgrading and testing new releases in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose it by emailing security@hashicorp.com — do not use the public issue tracker. For more information, please consult our security policy and our PGP key.

For more information about Vault Enterprise, visit hashicorp.com/products/vault. You can download the open source version of Vault at vaultproject.io.

We hope you enjoy HashiCorp Vault 1.9.