HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more

HCP Vault Dedicated is HashiCorp’s cloud-managed, single-tenant Vault offering which allows users to secure secrets, keys, and certificates across cloud providers. The release of Vault 1.18 and additional key enterprise features allows users to expand access across regions and cloud service providers.

Today we are releasing secret sync capabilities, enhanced UI permissions on subkeys, PKI EST protocol support, and cross-region disaster recovery (DR) capabilities.

»Secrets sync centralizes secrets management

Secrets sync, now available in HCP Vault Dedicated, allows organizations to sync secrets out to third-party secrets management systems while still maintaining Vault as the central system of record and management platform. This provides a standard, unified secrets management workflow for the whole organization, solving tooling fragmentation challenges (interfacing with multiple cloud vendors and key managers for access) and making security workflows more efficient.

Users can now sync secrets to the following destinations:

• AWS Secrets Manager
• Azure Key Vault
• GCP Secrets Manager
• GitHub
• Vercel Projects

»Enhanced UI permissions on subkeys adds efficiency

Organizations that are storing key-value (KVv2) secrets in a nested structure can sometimes end up with multiple key value pairs stored under one secret path. Due to security concerns, administrators do not want their teams to be able to see all of the values of the secrets in one single entry when they are updating secret values.

To prevent this, admins grant their teams specific permissions to update values as needed, which are then tracked via audit logs. Once granted access, users can manually update secrets using patch and subkey commands in the API and CLI. Following a common workflow, users can log into Vault, find the relevant secret path, view the secret structure to locate the precise key to update, and update that key.

This update will add patch and subkey commands directly to the HCP Vault Dedicated GUI, which allows users to view the structure (keys) of the secret data without viewing the values. This allows them to focus on just the specific key-value pairs they want to update. Additionally, it allows users to update a secret value without seeing the secret’s previous value. Administrators benefit by being able to set user permissions so that their teams can interact with KVv2 secrets without viewing secure secret data, and then track secret changes directly via audit logs.

»PKI EST for IoT certificate management

HCP Vault Dedicated now supports PKI EST protocol as a function of the PKI secrets engine for organizations that need to manage and auto-rotate PKI certificates across devices.

When selecting the most appropriate technologies for IoT use cases, automating the provisioning and rotation of PKI certificates on different device types is important due to the magnitude of security risks.

Enrollment over Secure Transport (EST) is considered one of the best PKI protocols to automate large volumes of certificates for multiple devices. It is a PKI enrollment service that ensures secure interoperability between clients and a certificate authority (CA). In an IoT PKI architecture, EST verifies whether clients are authorized to obtain the requested certificates. Once clients are verified, EST communicates with the CA in order to deliver the certificates to the client.

Today EST is the preferred choice for PKI with organizations that have large scale IoT deployments (thousands of devices over multiple global locations). Enterprises prefer EST because of the automation capabilities of certificate management that remove the burden of manually configuring certificates, which is prone to human error. Additionally, manually managing certificates runs the risk of being forgotten until after expiration, which can cause unexpected outages of critical systems and exposure to breach.

»WIF support for reduced risk (coming soon)

Workload Identity Federation (WIF), coming soon to HCP Vault Dedicated, allows users to eliminate concerns about providing security credentials for Vault plugins. WIF establishes a trust relationship between an external system and Vault’s identity token provider to access an external system. This allows for more efficient plug-in integration by eliminating the need to provide security credentials to every plugin that is added to a team’s workflow. WIF also reduces security concerns because its secretless workflow eliminates the use of long-lived, highly privileged security credentials.

»Cross-region DR enhances Vault resilience

HCP Vault Dedicated production clusters consist of three nodes that support multiple AWS and Azure regions. With this expansion of cross-region DR, these nodes can now tolerate availability zone failures across regions. In the case that a primary region of HCP Vault clusters encounter catastrophic failure they are able to be recovered in another region.

Expanding cross-region DR capabilities with HCP Vault Dedicated allows for users to streamline disaster recovery through replication in the event of an outage and reduce their overall risk profile. It also allows teams to remain nimble and install necessary fail-safes in the case of failure.

This release only allows for cross-region DR replication to the same provider and not across different providers.

»Want to get started?

These new HCP Vault Dedicated features remove risks, improve Vault resilience, and increase operator and user efficiency.

To learn more about HCP Vault Dedicated visit our overview documentation and sign-up for our free tier today. Have any more challenges around cloud security or secrets management that you’d like to talk about? Click here to discuss your environments with our solutions and sales teams.