Vault Enterprise 1.19 reduces risk with encryption updates and automated root rotation

HashiCorp Vault Enterprise 1.19 is now generally available, offering enhanced secure workflows, post-quantum computing features, and long-term support. Vault is a platform for managing secrets, encrypting data, handling identity management, and supporting various workflows for applications across hybrid and multi-cloud environments.

Notable features in Vault Enterprise 1.19 include:

• Machine Learning - Data Science and Analytics (ML-DSA) Post Quantum Cryptography (PQC) support: Transit secrets engine adds supports ML-DSA PQC sign and verify functionality for experimental purposes.
• Vault transit engine support for ED25519 with pre-hashing: Vault transit engine now supports ED25519PH signing frequently commonly used in remote and embedded devices.
• Constrained certificate authorities (CA): Constrained CA’s reduce risk by providing isolation for PKI workloads.
• Extended automated root rotation: Vault 1.19 extends its centralized rotation manager, which now provides a mechanism to automate rotation of root credentials for AWS, Azure, and Google Cloud auth methods and secret engines, along with LDAP and database plugins.
• Additional UI support for Workload Identity Federation (WIF): Vault 1.19 now provides UI support for WIF on Google Cloud and Azure.
• Long-term support (LTS): While Vault 1.16 enters one year of extended support, 1.19 represents Vault Enterprise’s second LTS release.
• Seal-wrap AppRole data for Federal Information Processing Standards (FIPS): FIPS-compliant Hardware Security Module (HSM) deployments.

»Reduce cyber threat risks with enhanced encryption

In recent releases, Vault has made significant investments in providing enhanced PKI and encryption functionality to be deployed against a wide range of threats including reducing the risk of data breaches, assisting with regulatory compliance, and securing sensitive information from unauthorized access or tampering. As cyber threats evolve, Vault's encryption features will remain one of the most effective tools for securing digital infrastructure.

Vault includes new functionality to support enterprise encryption requirements including constrained CA's, support for National Institute for Science and Technology (NIST) approved post-quantum computing (PQC) encryption, and storage optimization for the Ed25519ph algorithm.

»Safeguard data with post-quantum-ready encryption

The world’s encryption capabilities will become less effective as quantum computing becomes more broadly available. We, along with NIST, believe that organizations need to start thinking about this now.

Though quantum computing is not available at this time, bad actors are already seeking to collect and store encrypted data from past breaches, hoping to decrypt it later once the technology becomes available. This is called a harvest-now-decrypt-later strategy.

Last year, to help companies start preparing for this eventuality, NIST published three recommended cryptographic standards for post-quantum cryptography (PQC). Like NIST, we believe Vault customers must start safeguarding their applications and services against post-quantum threats.

In Vault Enterprise 1.19, the transit secret engine introduces experimental support for PQC ML-DSA sign and verify functionality. This allows customers to:

• Evaluate the impact of PQC on their systems and plan for necessary changes
• Protect data from harvest now decrypt later attacks, as well as the broader PQC threat

»Secure embedded devices with Ed25519ph encryption

Ed25519 is a commonly used public key signature algorithm that has gained popularity because of its speed, security, and simplicity. Here are the key reasons why Ed25519 is important:

• Strong security: Ed25519 is based on elliptic curve cryptography (ECC). This curve is designed to be resistant to various types of attacks, including side-channel attacks. Additionally, it is based on 128-bit encryption, which is considered to be strong enough to protect against attacks from modern computational power and potential quantum threats.
• Efficiency: Ed25519 is optimized for performance. It is designed to be fast both in terms of key generation and signing/verification operations, making it suitable for resource-constrained devices like internet of things (IoT) devices or mobile applications.
• Simplicity: Ed25519 is designed to be simple and hard to misuse. It eliminates many common pitfalls in cryptographic protocols, such as choosing weak curves or poor random number generators.
• Resistance to side-channel attacks: A significant benefit of Ed25519 is its resistance to side-channel attacks, which exploit physical characteristics like timing or power consumption during computations.
• Compact signature size: Ed25519 produces small, fixed-size signatures (64 bytes), which make it efficient for storage and transmission. This is important in systems with bandwidth limitations.

While Vault has supported Ed25519 since version 1.06, it did not support the pre-hashing that optimizes the algorithm for IoT and mobile devices with limited storage and compute capacity. As a result, customers have turned to third-party or custom cryptography solutions outside of Vault, which tend to introduce security risks and operational complexities.

Today, Vault transit engine natively supports Ed25519ph signing, a variant of the Ed25519 algorithm that includes a pre-hash instead of the actual data stream to capitalize on efficiency and compact characteristics.

»Isolate PKI workloads with constrained CA’s

Constrained PKI certificate authorities (CAs) refer to CAs that have limited scope compared to traditional, widely trusted CAs. Constrained CA’s issue digital certificates but with restrictions in place that enhance security and reduce the risk of misuse. Constrained CA’s enhance an organization’s security and reduce risk with:

• Limited certificate scope: Constrained CA’s are designed to issue certificates only for specific purposes or within a limited domain. For example, a CA may only issue certificates for a particular organization, specific types of devices, or certain applications. This limits the potential for compromise or misuse since the CA’s scope of trust is narrow and tightly controlled.
• Limited identity scope: A constrained CA can also restrict the types of entities it will issue certificates to, thereby minimizing the risk of issuing a certificate to a malicious actor.
• Usage scenario flexibility: Constrained CA can be established with multiple layers of security, such as multi-factor authentication (MFA) for certificate requests or hardware security modules (HSMs) to store private keys securely.
• Trust in the constrained CA: A key distinction with constrained CAs is that they may not be universally trusted by all systems or applications. This limits where the CA can provide authentication, helping teams build firmer least-privilege-necessary systems.

Vault Enterprise 1.19 now offers support for constrained PKI CAs. These CAs offer control, security, and compliance over public key certificates issued by a trusted entity with more options for limiting trust when compared to general-purpose CAs. The constraints help mitigate risks associated with certificate misuse, such as issuing certificates to unauthorized entities or for unintended purposes.

»Deploy Vault in HSM-compliant FIPS environments

The federal government, as well as organizations that service the federal government require FIPS (Federal Information Processing Standards) to ensure security, privacy, and integrity for sensitive government data and systems.

To comply with FIPS and FedRAMP, Vault AppRole data must be secured by Hardware Security Modules (HSMs) — physical devices used to generate, store, and manage cryptographic keys in a secure environment.

To continue ensuring that Vault meets these requirements, Vault Enterprise 1.19 has added support for seal-wrap functionality to secure AppRole data with HSM-level protection to enable FIPS-compliant deployments.

»Extended automated root rotation

Beginning with Vault 1.18, Vault offered the ability to automatically rotate database root credentials with the database secrets engine plugins. Each service instance is assigned unique credentials, allowing identification and secret revocation based on any unusual access patterns.

This approach streamlines database administration and reduces manual tasks. By using the centralized rotation manager, similar to Vault's lease manager, teams can automate the rotation of root credentials in a standardized way.

Vault Enterprise 1.19 extends the ability to automate root credential rotation to AWS, Azure, and Google Cloud authentication methods and secret engines, as well as LDAP and database plugins.

»Improved user experience for security teams

Vault has long provided robust API and CLI support for engineering teams. However, these tools may not always offer the most effective user experience for SecOps teams, or those focused on governance, regulation, and compliance. Recent Vault Enterprise releases have prioritized enhancing user experiences to ensure security teams have the necessary tools to enforce security policies and best practices. Vault Enterprise 1.19 further strengthens this focus by adding UI support for Workload Identity Federation (WIF) on Google Cloud and Azure.

»UI support for GCP and Azure WIF

Workload identities are assigned to software workloads, including applications, services, scripts, or containers, to authenticate and gain access to other services and resources. Workload Identity Federation (WIF) simplifies the process for developers to access cloud-based resources from applications and services running in Kubernetes or across different cloud providers, eliminating the need for secrets in certain cases. Developers can configure cloud-based applications and services to trust tokens issued by external identity providers like HashiCorp Vault, enabling these tokens to be used for accessing resources within those applications.

First introduced in Vault Enterprise 1.15, WIF has seen several updates since its launch. The latest update in Vault Enterprise 1.19 includes the ability to configure WIF in Azure and Google Cloud directly through the user interface, offering a streamlined, UI-driven approach.

Below is the interface for configuring Google Cloud WIF:

WIF allows for secretless integration between Vault Enterprise and external cloud providers. By using a secretless workflow, organizations eliminate the risks associated with long-lived credentials and reduce maintenance and monitoring toil.

»Long-term support

The Vault Enterprise 1.16 release marked the first long-term support (LTS) version of self-managed Vault. We’re pleased to announce that Vault 1.19 is also a LTS release. This is also the point where Vault 1.16 enters extended support for the next year.

To upgrade your Vault Enterprise 1.19, refer to the upgrade documentation. Once you're on a maintained Vault Enterprise LTS version, HashiCorp recommends upgrading annually to the next LTS version, with 1.22 being the next release. This upgrade strategy ensures your organization always runs a supported release, reducing the frequency of major version upgrades and improving workload predictability.

For more details, please refer to the Vault Enterprise LTS documentation and HashiCorp's multi-product LTS statement.

»Vault Enterprise 1.19 upgrade details

This release also includes more new features, workflow enhancements, general improvements, and bug fixes. All of these updates (including new features in Vault Community Edition) can be found in the Vault 1.19 changelog. Please visit the Vault release highlights page for step-by-step tutorials demonstrating the new features.

As always, we recommend upgrading and testing new releases in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault discussion forum. As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose it by emailing security@hashicorp.com — do not use the public issue tracker. For more information, please consult our security policy and our PGP key.

For more information about HCP Vault and Vault Enterprise, visit the HashiCorp Vault product page.

»Related topics

• NIST post-quantum cryptography standards: Our plans
• PKI and internet of things (IoT) use cases
• Top PKI use cases
• Beyond secrets - Using Vault to automate PKI (Demo)