Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News HashiCorp Vault Adds Tokenization and Auto-Join Features

HashiCorp Vault Adds Tokenization and Auto-Join Features

This item in japanese

HashiCorp has released Vault 1.6, introducing a number of new features to their secrets and identity management platform. Cloud auto-join builds upon the previously released integrated storage feature and facilitates automatically attaching new Vault nodes to the cluster. The transform secrets engine now supports tokenization to better secure data stored outside of Vault. Additional features include integration with cloud providers' key management services and support for seal migration.

Integrated storage was introduced to Vault in version 1.2. It allows for Vault administrators to configure an internal storage option for Vault's persistent data, as opposed to leveraging an external storage backend. Integrated Storage stores the data on the Vault server's filesystem and leverages a consensus protocol to synchronise each server in the cluster. The new cloud auto-join feature allows for automatically joining nodes to the cluster either via the config file or through the API.

Vault architecture leveraging integrated storage

Vault architecture leveraging integrated storage (credit: HashiCorp)


Via the config, the new auto_join property can be used which takes as input the cloud provider's specific configuration. With this enabled, Vault will attempt to discover and resolve the potential leader address (unlike the leader_api_addr config which requires explicit knowledge of the leader IP address). For example, in AWS, when leveraging EC2, auto-join could be enabled via tags on the EC2 instance.

storage "raft" {
  path = "/vault/vault_4"
  node_id = "vault_4"

  retry_join {
    auto_join = "provider=aws addr_type=public_v4 tag_key=cluster_name tag_value=raft-test region=us-east-1"
    auto_join_scheme = "http"

More details on the format for auto_join can be found in the go-discover README. By default, Vault will use HTTPS and port 8200 for discovery. These can be overridden using the auto_join_scheme and auto_join_port fields respectively.

Within Vault enterprise, it is now possible to schedule snapshots of Vault's storage. By default, the snapshots are stored locally in a directory named raft-backup, however it is possible to have snapshots pushed to a remote storage service. Up to five snapshots can be retained locally with each snapshot requiring 1GB of data. To set up a configuration that takes a snapshot every 24 hours, the following CLI command can be leveraged:

vault write sys/storage/raft/snapshot-auto/config/daily interval="24h" retain=5 path_prefix="raft-backup" storage_type="local" local_max_space=1073741824

Support for tokenization has been added as a tech preview for Vault enterprise with the advanced data protection module. Tokenization can be used to replace sensitive data with unique, non-reversible values that are completely distinct from the original value. The release also includes a new transform web UI to assist in configuring data masking transformations and format preserving encryption (FPE).

Also in tech preview for the enterprise edition of Vault, the key management secrets engine simplifies management and distribution of keys to public cloud provider's key management services (KMS). At the time of release, only Azure's Key Vault is supported. The service is designed to automate the lifecycle operations such as writing, reading, updating, and rotating keys specifically for customer provided keys.

More details on these and other changes included in this release can be found within the release post and changelog. An upgrade guide is available to assist in the process of upgrading existing clusters. Vault can be found either as open-source or in an enterprise edition.

Rate this Article