DEC 04 2018 ANDY MANOSKE

今天, 我们很高兴地宣布 hashicorp Vault1.0 的公开可用性。Vault 是一种用于管理机密和保护任何基础结构和应用程序的敏感数据的工具。

Vault 1.0 专注于改造 Vault 的基础设施, 以支持高性能、可扩展的工作负载。Vault 的1.0 版本的重要更新包括:

• 批量 Token：一种针对高性能、临时工作负载优化的新型 Token。
• 开源云自动解封：基于云的自动解封现在是开源的。
• OpenAPI 支持：Vault 现在支持 OpenAPI 标准。
• 扩展的阿里云集成：扩展了对在阿里云环境中运行 Vault 的支持。
• 更新的用户界面：对 Vault UI 进行重大更新, 以便于使用。
• GCP 云 KMS 秘密引擎：从 Vault 内管理 GCP CKMS 密钥。

该版本还包括了其他新功能、安全工作流增强功能、一般改进和错误修复。Vault 1.0 更改日志提供了功能、增强功能和错误修复的完整列表。

Vault 1.0 是 Vault 团队和 HashiCorp 作为一个整体的一个重要里程碑。Vault 是 HashiCorp 第四个达到1.0 的项目, 我们的今天是 HashiCorp 与更广泛的开源社区近四年辛勤工作的结果。我们十分感谢社会人士的贡献。像往常一样, 感谢您的所有需求、想法、错误报告和支持。

批量 Token

批处理 Token 是一种支持临时、高性能工作负载的新型令牌。这些 Token 不会写入磁盘, 从而显著降低了 Vault 中任何操作的性能成本。

作为折中, 批处理 Token 不是持久的, 不应用于任何类型的长期或正在进行的操作, 也不应用于在 Vault 群集出现故障或停机时需要该令牌弹性时的任何操作。

批处理令牌的短暂性质使其非常适合大批量的单用途操作 (如使用 transit 秘密引擎), 但不适合诸如永久访问 K/V 引擎中的机密等操作。

开源云自动解封

在 Vault 1.0 中, 我们开放开源云自动解封功能, 允许 Vault 的所有用户利用云服务, 如 AWS KMS、Azure Key Vault 和 GCP CKMS 来管理 Vault 的解封过程。

我们决定开放开源云自动解封功能, 以为所有用户简化存储和重新组合 Shamir 钥匙的过程。虽然我们最初认为云自动取消密封只是企业合规性的需求, 但我们在与社区合作时意识到, 自动取消密封更多的是为了方便使用, 而不是合规性要求。

需要注意的是, 基于 HSM 的自动解封 (通过 PKCS#11 标准) 和S eal-Wrap 将继续保留在 Vault 企业版中的功能。这两个功能的部署通常都符合政府和法规遵从性要求, 因此与企业用例保持一致。

OpenAPI

Vault 1.0 现在支持 Open API 倡议的 OpenAPI 标准, 加入了许多其他主要的开源项目, 为其 API 调用提供了与供应商无关的描述格式。

使用/sys/internal/specs/openapi终结点, Vault 可以生成一个 OpenAPI v3 文档, 描述给定 Token 权限的已装入后端和终结点功能。

更新的用户界面

Vault 1.0 的版本已看到 Vault UI 更新的重要。其中包括向导, 以帮助将新用户引入用于配置 Vault 和存储机密的常见 Vault 工作流, 更新了用户如何安装 auth 方法和秘密引擎的页面, 支持在 K/V v2 机密引擎中管理关键版本控制, 以及主机的其他更新, 以帮助确保 Vault 几乎可以完全地从 Vault UI 中部署、初始化和管理。

1.0 是 Vault UI 团队在过去几个主要版本中大量工作的结晶。我们将在即将发布的博客文章中发布一个深度介绍 ui 团队的工作, 以及 Vault 以图形方式配置和管理工作流的能力。

扩展的阿里云集成

Vault 1.0 扩展了使用阿里云和在阿里云中操作 Vault 的功能。阿里云 KMS 现在作为 Seal-Wrap 和自动解封目标得到支持, 阿里云 Auth 方法现在是 Vault 代理中 Auto Auth 的支持接口。

GCP CKMS 秘密引擎

Vault 1.0 发布了一个新的机密引擎, 用于管理 Google 云平台的云密钥管理系统中的加密操作。此接口允许在外部 GCP CKMS 系统中进行类似于传输的解密加密操作、密钥创建和密钥管理。

其他功能

Vault 1.0 中有许多新功能是在 0.11. x 版本过程中开发的。我们总结了以下几个较大的功能, 详情可参考更改日志：

• AWS 秘密引擎根证书旋转：AWS 秘密引擎使用的证书现在可以旋转, 以确保只有 Vault 知道它所使用的证书。
• 存储后端迁移：新的操作员迁移命令允许在两个存储后端之间脱机迁移数据。
• Transit Key 修剪：现在可以修剪 Transit 秘密引擎中的密钥, 以删除旧的未使用密钥版本。
• 复制速度改进 (Vault 企业版)：Vault 的复制系统已进行了大修, 以显著提高性能。

升级详细信息

Vault 1.0 引入了重要的新功能。因此, 我们提供常规升级说明和 Vault 1.0 特定的升级页面.

与往常一样, 我们建议在隔离环境中升级和测试此版本。如果您遇到任何问题, 请在 Vault GitHub 问题跟踪器上报告或发布到 Vault 邮件列表.

有关 HashiCorp Vault 企业的详细信息, 请访问https://www.hashicorp.com/products/vault。用户可以在https://www.vaultproject.io下载 Vault 的开源版本.

此外, 请查看 Vault 1.0 之旅。

我们希望您喜欢 Vault 1.0!

【原文】HashiCorp Vault 1.0

DEC 04 2018 ANDY MANOSKE

Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application.

Vault 1.0 is focused on renovating Vault's infrastructure to support high performance, scalable workloads. The 1.0 release of Vault includes significant new functionality including:

• Batch Tokens: A new type of token optimized for high performance, ephemeral workloads.
• Open Source Cloud Auto Unseal: Cloud-based auto unseal is now open source.
• OpenAPI Support: Vault now supports the OpenAPI standard.
• Expanded Alibaba Cloud Integration: Expanded support for running Vault on Alibaba Cloud environments.
• Updated UI: Significant updates to the Vault UI for better ease of use.
• GCP Cloud KMS Secrets Engine: Manage GCP CKMS keys from within Vault.

The release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.0 changelog provides a full list of features, enhancements, and bug fixes.

Vault 1.0 is a major milestone for the Vault team and HashiCorp as a whole. Vault is the fourth HashiCorp project to reach 1.0, and where we are today is the result of nearly four years of hard work between HashiCorp and the broader open source community. We are immensely grateful to the community for their contributions. As always, thank you for all of your pull requests, ideas, bug reports, and support.

Batch Tokens

Batch tokens are a new type of token that support ephemeral, high performance workloads. These tokens do not write to disk, significantly reducing the performance cost of any operation within Vault.

As a trade off, batch tokens are not persistent and should not be used for any kind of long-lived or ongoing operation or any operation that requires resiliency of that token in the face of the failure or downtime of the Vault cluster.

The ephemeral nature of batch tokens makes them well suited for large batches of single-purpose operations such as use of the transit secret engine, but ill suited for operations such as persistent access for secrets within a K/V engine.

Open Source Cloud Auto Unseal

In Vault 1.0, we are open sourcing Cloud Auto Unseal, allowing for all users of Vault to leverage cloud services such as AWS KMS, Azure Key Vault, and GCP CKMS to manage the unseal process for Vault.

We decided to open source Cloud Auto Unseal to simplify the process of storing and reassembling Shamir's keys for all users. While we originally thought cloud auto-unseal was just an enterprise compliance need, we've realized in working with the community that auto-unseal is more for ease of use than compliance requirements.

It is important to note that HSM-based Auto Unseal (via the PKCS#11 standard) and Seal-Wrap will continue to remain features within Vault Enterprise. Both of these features are typically deployed to conform with government and regulatory compliance requirements, and thus are aligned with enterprise use cases.

OpenAPI

Vault 1.0 now supports the Open API Initiative's OpenAPI standard, joining a host of other major open source projects in providing a vendor-neutral description format for its API calls.

With the /sys/internal/specs/openapi endpoint, Vault can generate an OpenAPI v3 document that describes mounted backends and endpoint capabilities for a given token's permissions.

Updated UI

The releases leading up to 1.0 have seen significant updates to the Vault UI. These include wizards to help introduce new users to common Vault workflows for configuring Vault and storing secrets, updated screens for how users mount auth methods and secret engines, support for managing key versioning within the K/V v2 secrets engine, and a host of other updates to help ensure that Vault can almost completely be deployed, initialized, and managed from within the Vault UI.

1.0 is the culmination of a very significant amount of work from the Vault UI team over the last few major releases. We will publish a deep dive highlighting the UI team's work, and Vault's ability to be configured and manage workflows graphically, in an upcoming blog post.

Expanded Alibaba Cloud Integration

Vault 1.0 expands on features for operating Vault with and within Alibaba Cloud. Alibaba Cloud KMS is now supported as a Seal-Wrap and Auto Unseal target, and the Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.

GCP CKMS Secret Engine

Vault 1.0 sees the release of a new secrets engine for managing cryptographic operations within Google Cloud Platform's Cloud Key Management System. This interface allows for transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.

Other Features

There are many new features in Vault 1.0 that have been developed over the course of the 0.11.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:

• AWS Secret Engine Root Credential Rotation: The credential used by the AWS secret engine can now be rotated, to ensure that only Vault knows the credentials it is using.
• Storage Backend Migrator: A new operator migrate command allows offline migration of data between two storage backends.
• Transit Key Trimming: Keys in transit secret engine can now be trimmed to remove older unused key versions.
• Replication Speed Improvements (Vault Enterprise): Vault's replication system has been overhauled to dramatically improve performance.

Upgrade Details

Vault 1.0 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.0-specific upgrade page.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault mailing list.

For more information about HashiCorp Vault Enterprise, visit https://www.hashicorp.com/products/vault. Users can download the open source version of Vault at https://www.vaultproject.io.

Also, check out the Journey to Vault 1.0 by Armon.

We hope you enjoy Vault 1.0!