HashiCorp Vault 1.8 adds diagnostic command, key management secrets engine and expiration manager

HashiCorp Vault 1.8 brings notable features and enhancements to privacy and privacy product, including Vault Diagnose, built-in storage autopilot, key management secrets engine for AWS, expiration manager improvements and triggers of control group.

Vault helps users manage secrets and protect sensitive data using the UI, CLI, or HTTP API.

In the community office opening hours from Vault, HashiCorp Software Engineer Stephen Wayne highlighted major improvements to the expiration manager and why this is important to Vault. The expiration handler is used to manage the life cycle of leases. All dynamic secrets in Vault must have a lease.

Vault 1.7 and earlier versions have obvious limitations, especially on revocation, such as leases must be revoked from the system they are associated with, one worker per revocation, irrevocable revocation of lease retried on Vault startup, and many simultaneous revocations consume resources needed by other Vault components. Revocation is essential because it facilitates the rolling of keys as well as the locking of systems in the event of an intrusion.

With Vault 1.8, it has the ability to mark certain leases as irrevocable, offers fair sharing logic to facilitate lease revocations, and adds an HTTP API and CLI for operators to obtain information about irrevocable leases. Fortunately, Vault 1.8 achieves expected results from an end-user perspective, such as more efficient use of resources, better observability of lease status, and no more crashes on startup. Now, Vault has improved support for lease revocation.

Vault Diagnose was introduced in Vault 1.8 to allow faster troubleshooting and user-friendly diagnostics when Vault won’t start or crashes. This means that the diagnostic command is safe to use regardless of the state Vault is in. HashiCorp Software Engineer Hridoy Roy describes the Vault Diagnose command and explains why and how Vault Diagnose is in community office hours.

Because customers face challenges with vault configurations such as misconfigured TLS and certification issues, HashiCorp designed Vault Diagnose to catch some of the common causes of bad vault behavior before they happen. Vault Diagnose uses OpenTelemetry scopes to store diagnostic information. It walks through the tree and warns, fails or passes each check with many human-readable messages. Hridoy also showed a live demo to demonstrate the basic use of the diagnostic operator command with misconfigured storage or even when Vault is down.

the change log and release notes list all changes in Vault 1.8. You can also consult the official announcement to find enterprise features.