Vault 1.18 introduces support for IPv6 and CMPv2 while improving security team user experience

HashiCorp Vault 1.18 is now generally available, with new secure workflows, improved high availability, and new PKI protocols. HashiCorp Vault provides secrets management, data encryption, identity management, and other workflow capabilities for applications on hybrid and multi-cloud infrastructure.

Key feature additions to Vault 1.18 include:

• CMPv2 PKI support: The CMPv2 PKI enrollment automation protocol is used in the 5G telecom industry to fulfill the required 3GPP standards (Enterprise)
• Adaptive overload protection: Improves high availability functionality to mitigate downtime (Enterprise)
• Password rotation for static PostgreSQL database accounts: Allows individual database accounts to self-rotate their own credentials (Enterprise)
• Raft library updates: Improved resiliency to network outages with the inclusion of pre-vote operations
• IPv6 compliance: Validated to comply with the US government’s OMB Mandate M-21-07 and Federal IPv6 policy (Enterprise)
• Improved user experience for security teams: Enhanced UI support for AWS WIF and KVv2 secrets path management (Enterprise)

»Support for CMPv2 PKI protocol

Vault Enterprise 1.18 further advances its certificate lifecycle management capabilities by extending PKI with the CMPv2 protocol. CMPv2 supports a variety of certificate formats including RSA, DSA, and ECDSA, as well as X.509 templates. The protocol is widely used by the mobile telecommunications and networking industries to support 5G and achieve third-generation partnership project (3GPP) compliance. CMPv2 includes:

• Initialization registration: Initialization requests are generally used to bring a new device into the PKI. Typically such devices are pre-provisioned with a vendor certificate issued by a CA other than the issuing CA. A successful request results in the issuance of a certificate, which can then be used to sign subsequent CMP messages.
• Certificate update: Certificate update messages are used by the requesting client to confirm that the issued certificate was received successfully, and PKI confirm messages are used to confirm that the server successfully received the certificate confirm message.
• Key-pair update: Key update requests are used to request certificate renewals or reissues.

In order to provide 5G services, mobile telecommunication providers are required to adhere to 3GPP standards. One such 3GPP requirement is that network devices must be authenticated using x509 certificates and that the enrollment process must leverage the CMPv2 protocol. With support for PKI’s CMPv2 protocol, Vault Enterprise facilitates the automation of network device certificate enrollment, helping organizations be 3GPP compliant for 5G services.

»Adaptive overload protection

Requests to the Vault API frequently result in the need to perform storage updates. These updates must be processed sequentially, causing high latency that could result in an outage during periods of extremely high traffic. Adaptive overload protection lets Vault gracefully manage requests by maintaining write replicas, which mitigates the risk of downtime. Adaptive overload protection will be enabled by default for Vault’s integrated storage backend when using Vault Enterprise.

»Password rotation for static database credentials

Vault Enterprise’s database secrets engine supports centralized workflows to administer credentials for a variety of database platforms. Each database service instance receives unique credentials so any atypical access pattern can be identified and revoked. While this reduces manual tasks and improves the efficiency of database administration, it can lead to the growth of non-human identity (NHI) service accounts with highly privileged credentials or root access.

Vault Enterprise 1.18 includes a PostgreSQL secrets plugin that allows individual database accounts to self-rotate their own credentials. This feature allows database administration and SecOps teams to limit and reduce the usage of highly privileged NHI accounts dedicated to supporting password rotation for static key-value accounts.

»Raft library updates

A Raft library is a protocol in which a cluster of nodes maintain a replicated state machine. The state machine is synchronized through the use of a replication log.

Previously, Vault Enterprise’s Raft implementation did not include pre-vote operations, which could prolong network outages. Vault Enterprise 1.18 now includes the pre-vote operation, which improves applications stability during network failures. This update to Vault’s Raft library will not require configuration or upgrade process for those using version Vault Enterprise 1.18 and later.

»Next generation of IPv6 compliance

HashiCorp is pleased to announce that Vault Enterprise 1.18 has been internally validated to be compliant with the US government’s OMB Mandate M-21-07 and Federal IPv6 policy requirements supporting the IPv6 profile for the US government. And Vault’s compliance page can now be used by our customers as the Self-attested Supplier Declaration of Conformity (SDOC) for versions 1.18 and later.

HashiCorp is currently engaged with an external agency accredited to perform USGv6 compliance testing for Vault Enterprise 1.18. Once external testing is complete, Vault Enterprise will be fully compliant with the Federal government’s IPv6 rules.

»Improved user experience for security teams

Vault has always included strong API and CLI support for engineering teams. However, that’s not always the most useful user experience for SecOps or those teams more focused on governance, regulation, and compliance. Recent releases of Vault Enterprise have emphasized greater support for different user experiences to ensure security teams have the necessary functional availability to implement security policy and best practices. Vault Enterprise 1.18 continues this focus by introducing UI support for AWS WIF and KVv2 secrets path management.

»UI support for AWS WIF

Workload Identity Federation (WIF) enables secretless configuration between Vault Enterprise and external cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud. WIF offers organizations another opportunity to limit the use of long-lived credentials to reduce risk while also limiting the need for ongoing operational maintenance and monitoring.

Vault Enterprise 1.15 introduced support for WIF, and since then, we have added significant improvements. Vault Enterprise now includes support to configure AWS WIF through the user interface. This new functionality supports security teams that prefer a more UI-driven workflow to perform Vault secrets management tasks.

»UI support for KVv2 secrets path management

Frequently we observe Vault administrators nesting secrets that allow a single KVv2 secrets path to have multiple key-value pairs. This is a Vault Enterprise feature as it allows for more granular physical organization of an application's secrets. This functionality has been available for use via the API and CLI, but has lacked support for a UI workflow until now.

The new UI-driven workflow for KVv2 secrets path management will allow security teams to set policies and allow users to see key names and update/write key-values without read access, ensuring secure, least-privileged access for app users in accordance with organizational needs.

»Vault 1.18 upgrade details

The lastest Vault release also includes more new features, workflow enhancements, general improvements, and bug fixes. All of these updates can be found in the Vault 1.18 changelog. Please visit the Vault release highlights page for step-by-step tutorials demonstrating the new features.

For more information about HCP Vault and Vault Enterprise, visit the HashiCorp Vault product page.