DEC 04 2018 ANDY MANOSKE

今天, 我們很高興地宣布 hashicorp Vault1.0 的公開可用性。Vault 是一種用于管理機密和保護任何基礎結構和應用程序的敏感數據的工具。

Vault 1.0 專注于改造 Vault 的基礎設施, 以支持高性能、可擴展的工作負載。Vault 的1.0 版本的重要更新包括:

• 批量 Token：一種針對高性能、臨時工作負載優化的新型 Token。
• 開源云自動解封：基于云的自動解封現在是開源的。
• OpenAPI 支持：Vault 現在支持 OpenAPI 標準。
• 擴展的阿里云集成：擴展了對在阿里云環境中運行 Vault 的支持。
• 更新的用戶界面：對 Vault UI 進行重大更新, 以便于使用。
• GCP 云 KMS 秘密引擎：從 Vault 內管理 GCP CKMS 密鑰。

該版本還包括了其他新功能、安全工作流增強功能、一般改進和錯誤修復。Vault 1.0 更改日志提供了功能、增強功能和錯誤修復的完整列表。

Vault 1.0 是 Vault 團隊和 HashiCorp 作為一個整體的一個重要里程碑。Vault 是 HashiCorp 第四個達到1.0 的項目, 我們的今天是 HashiCorp 與更廣泛的開源社區近四年辛勤工作的結果。我們十分感謝社會人士的貢獻。像往常一樣, 感謝您的所有需求、想法、錯誤報告和支持。

批量 Token

批處理 Token 是一種支持臨時、高性能工作負載的新型令牌。這些 Token 不會寫入磁盤, 從而顯著降低了 Vault 中任何操作的性能成本。

作為折中, 批處理 Token 不是持久的, 不應用于任何類型的長期或正在進行的操作, 也不應用于在 Vault 群集出現故障或停機時需要該令牌彈性時的任何操作。

批處理令牌的短暫性質使其非常適合大批量的單用途操作 (如使用 transit 秘密引擎), 但不適合諸如永久訪問 K/V 引擎中的機密等操作。

開源云自動解封

在 Vault 1.0 中, 我們開放開源云自動解封功能, 允許 Vault 的所有用戶利用云服務, 如 AWS KMS、Azure Key Vault 和 GCP CKMS 來管理 Vault 的解封過程。

我們決定開放開源云自動解封功能, 以為所有用戶簡化存儲和重新組合 Shamir 鑰匙的過程。雖然我們最初認為云自動取消密封只是企業合規性的需求, 但我們在與社區合作時意識到, 自動取消密封更多的是為了方便使用, 而不是合規性要求。

需要注意的是, 基于 HSM 的自動解封 (通過 PKCS#11 標準) 和S eal-Wrap 將繼續保留在 Vault 企業版中的功能。這兩個功能的部署通常都符合政府和法規遵從性要求, 因此與企業用例保持一致。

OpenAPI

Vault 1.0 現在支持 Open API 倡議的 OpenAPI 標準, 加入了許多其他主要的開源項目, 為其 API 調用提供了與供應商無關的描述格式。

使用/sys/internal/specs/openapi終結點, Vault 可以生成一個 OpenAPI v3 文檔, 描述給定 Token 權限的已裝入后端和終結點功能。

更新的用戶界面

Vault 1.0 的版本已看到 Vault UI 更新的重要。其中包括向導, 以幫助將新用戶引入用于配置 Vault 和存儲機密的常見 Vault 工作流, 更新了用戶如何安裝 auth 方法和秘密引擎的頁面, 支持在 K/V v2 機密引擎中管理關鍵版本控制, 以及主機的其他更新, 以幫助確保 Vault 幾乎可以完全地從 Vault UI 中部署、初始化和管理。

1.0 是 Vault UI 團隊在過去幾個主要版本中大量工作的結晶。我們將在即將發布的博客文章中發布一個深度介紹 ui 團隊的工作, 以及 Vault 以圖形方式配置和管理工作流的能力。

擴展的阿里云集成

Vault 1.0 擴展了使用阿里云和在阿里云中操作 Vault 的功能。阿里云 KMS 現在作為 Seal-Wrap 和自動解封目標得到支持, 阿里云 Auth 方法現在是 Vault 代理中 Auto Auth 的支持接口。

GCP CKMS 秘密引擎

Vault 1.0 發布了一個新的機密引擎, 用于管理 Google 云平臺的云密鑰管理系統中的加密操作。此接口允許在外部 GCP CKMS 系統中進行類似于傳輸的解密加密操作、密鑰創建和密鑰管理。

其他功能

Vault 1.0 中有許多新功能是在 0.11. x 版本過程中開發的。我們總結了以下幾個較大的功能, 詳情可參考更改日志：

• AWS 秘密引擎根證書旋轉：AWS 秘密引擎使用的證書現在可以旋轉, 以確保只有 Vault 知道它所使用的證書。
• 存儲后端遷移：新的操作員遷移命令允許在兩個存儲后端之間脫機遷移數據。
• Transit Key 修剪：現在可以修剪 Transit 秘密引擎中的密鑰, 以刪除舊的未使用密鑰版本。
• 復制速度改進 (Vault 企業版)：Vault 的復制系統已進行了大修, 以顯著提高性能。

升級詳細信息

Vault 1.0 引入了重要的新功能。因此, 我們提供常規升級說明和 Vault 1.0 特定的升級頁面.

與往常一樣, 我們建議在隔離環境中升級和測試此版本。如果您遇到任何問題, 請在 Vault GitHub 問題跟蹤器上報告或發布到 Vault 郵件列表.

有關 HashiCorp Vault 企業的詳細信息, 請訪問https://www.hashicorp.com/products/vault。用戶可以在https://www.vaultproject.io下載 Vault 的開源版本.

此外, 請查看 Vault 1.0 之旅。

我們希望您喜歡 Vault 1.0!

【原文】HashiCorp Vault 1.0

DEC 04 2018 ANDY MANOSKE

Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application.

Vault 1.0 is focused on renovating Vault's infrastructure to support high performance, scalable workloads. The 1.0 release of Vault includes significant new functionality including:

• Batch Tokens: A new type of token optimized for high performance, ephemeral workloads.
• Open Source Cloud Auto Unseal: Cloud-based auto unseal is now open source.
• OpenAPI Support: Vault now supports the OpenAPI standard.
• Expanded Alibaba Cloud Integration: Expanded support for running Vault on Alibaba Cloud environments.
• Updated UI: Significant updates to the Vault UI for better ease of use.
• GCP Cloud KMS Secrets Engine: Manage GCP CKMS keys from within Vault.

The release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.0 changelog provides a full list of features, enhancements, and bug fixes.

Vault 1.0 is a major milestone for the Vault team and HashiCorp as a whole. Vault is the fourth HashiCorp project to reach 1.0, and where we are today is the result of nearly four years of hard work between HashiCorp and the broader open source community. We are immensely grateful to the community for their contributions. As always, thank you for all of your pull requests, ideas, bug reports, and support.

Batch Tokens

Batch tokens are a new type of token that support ephemeral, high performance workloads. These tokens do not write to disk, significantly reducing the performance cost of any operation within Vault.

As a trade off, batch tokens are not persistent and should not be used for any kind of long-lived or ongoing operation or any operation that requires resiliency of that token in the face of the failure or downtime of the Vault cluster.

The ephemeral nature of batch tokens makes them well suited for large batches of single-purpose operations such as use of the transit secret engine, but ill suited for operations such as persistent access for secrets within a K/V engine.

Open Source Cloud Auto Unseal

In Vault 1.0, we are open sourcing Cloud Auto Unseal, allowing for all users of Vault to leverage cloud services such as AWS KMS, Azure Key Vault, and GCP CKMS to manage the unseal process for Vault.

We decided to open source Cloud Auto Unseal to simplify the process of storing and reassembling Shamir's keys for all users. While we originally thought cloud auto-unseal was just an enterprise compliance need, we've realized in working with the community that auto-unseal is more for ease of use than compliance requirements.

It is important to note that HSM-based Auto Unseal (via the PKCS#11 standard) and Seal-Wrap will continue to remain features within Vault Enterprise. Both of these features are typically deployed to conform with government and regulatory compliance requirements, and thus are aligned with enterprise use cases.

OpenAPI

Vault 1.0 now supports the Open API Initiative's OpenAPI standard, joining a host of other major open source projects in providing a vendor-neutral description format for its API calls.

With the /sys/internal/specs/openapi endpoint, Vault can generate an OpenAPI v3 document that describes mounted backends and endpoint capabilities for a given token's permissions.

Updated UI

The releases leading up to 1.0 have seen significant updates to the Vault UI. These include wizards to help introduce new users to common Vault workflows for configuring Vault and storing secrets, updated screens for how users mount auth methods and secret engines, support for managing key versioning within the K/V v2 secrets engine, and a host of other updates to help ensure that Vault can almost completely be deployed, initialized, and managed from within the Vault UI.

1.0 is the culmination of a very significant amount of work from the Vault UI team over the last few major releases. We will publish a deep dive highlighting the UI team's work, and Vault's ability to be configured and manage workflows graphically, in an upcoming blog post.

Expanded Alibaba Cloud Integration

Vault 1.0 expands on features for operating Vault with and within Alibaba Cloud. Alibaba Cloud KMS is now supported as a Seal-Wrap and Auto Unseal target, and the Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.

GCP CKMS Secret Engine

Vault 1.0 sees the release of a new secrets engine for managing cryptographic operations within Google Cloud Platform's Cloud Key Management System. This interface allows for transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.

Other Features

There are many new features in Vault 1.0 that have been developed over the course of the 0.11.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:

• AWS Secret Engine Root Credential Rotation: The credential used by the AWS secret engine can now be rotated, to ensure that only Vault knows the credentials it is using.
• Storage Backend Migrator: A new operator migrate command allows offline migration of data between two storage backends.
• Transit Key Trimming: Keys in transit secret engine can now be trimmed to remove older unused key versions.
• Replication Speed Improvements (Vault Enterprise): Vault's replication system has been overhauled to dramatically improve performance.

Upgrade Details

Vault 1.0 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.0-specific upgrade page.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault mailing list.

For more information about HashiCorp Vault Enterprise, visit https://www.hashicorp.com/products/vault. Users can download the open source version of Vault at https://www.vaultproject.io.

Also, check out the Journey to Vault 1.0 by Armon.

We hope you enjoy Vault 1.0!