【譯】喜大普奔：HashiCorp Vault 1.0 發佈啦！

DEC 04 2018 ANDY MANOSKE

今天, 咱們很高興地宣佈 hashicorp Vault1.0 的公開可用性。Vault 是一種用於管理機密和保護任何基礎結構和應用程序的敏感數據的工具。

Vault 1.0 專一於改造 Vault 的基礎設施, 以支持高性能、可擴展的工做負載。Vault 的1.0 版本的重要更新包括:

• 批量 Token：一種針對高性能、臨時工做負載優化的新型 Token。
• 開源雲自動解封：基於雲的自動解封如今是開源的。
• OpenAPI 支持：Vault 如今支持 OpenAPI 標準。
• 擴展的阿里雲集成：擴展了對在阿里雲環境中運行 Vault 的支持。
• 更新的用戶界面：對 Vault UI 進行重大更新, 以便於使用。
• GCP 雲 KMS 祕密引擎：從 Vault 內管理 GCP CKMS 密鑰。

該版本還包括了其餘新功能、安全工做流加強功能、通常改進和錯誤修復。Vault 1.0 更改日誌提供了功能、加強功能和錯誤修復的完整列表。

Vault 1.0 是 Vault 團隊和 HashiCorp 做爲一個總體的一個重要里程碑。Vault 是 HashiCorp 第四個達到1.0 的項目, 咱們的今天是 HashiCorp 與更普遍的開源社區近四年辛勤工做的結果。咱們十分感謝社會人士的貢獻。像往常同樣, 感謝您的全部需求、想法、錯誤報告和支持。

批量 Token

批處理 Token 是一種支持臨時、高性能工做負載的新型令牌。這些 Token 不會寫入磁盤, 從而顯著下降了 Vault 中任何操做的性能成本。

做爲折中, 批處理 Token 不是持久的, 不該用於任何類型的長期或正在進行的操做, 也不該用於在 Vault 羣集出現故障或停機時須要該令牌彈性時的任何操做。

批處理令牌的短暫性質使其很是適合大批量的單用途操做 (如使用 transit 祕密引擎), 但不適合諸如永久訪問 K/V 引擎中的機密等操做。

開源雲自動解封

在 Vault 1.0 中, 咱們開放開源雲自動解封功能, 容許 Vault 的全部用戶利用雲服務, 如 AWS KMS、Azure Key Vault 和 GCP CKMS 來管理 Vault 的解封過程。

咱們決定開放開源雲自動解封功能, 覺得全部用戶簡化存儲和從新組合 Shamir 鑰匙的過程。雖然咱們最初認爲雲自動取消密封只是企業合規性的需求, 但咱們在與社區合做時意識到, 自動取消密封更多的是爲了方便使用, 而不是合規性要求。

須要注意的是, 基於 HSM 的自動解封 (經過 PKCS#11 標準) 和S eal-Wrap 將繼續保留在 Vault 企業版中的功能。這兩個功能的部署一般都符合政府和法規聽從性要求, 所以與企業用例保持一致。

OpenAPI

Vault 1.0 如今支持 Open API 倡議的 OpenAPI 標準, 加入了許多其餘主要的開源項目, 爲其 API 調用提供了與供應商無關的描述格式。

使用/sys/internal/specs/openapi終結點, Vault 能夠生成一個 OpenAPI v3 文檔, 描述給定 Token 權限的已裝入後端和終結點功能。

更新的用戶界面

Vault 1.0 的版本已看到 Vault UI 更新的重要。其中包括嚮導, 以幫助將新用戶引入用於配置 Vault 和存儲機密的常見 Vault 工做流, 更新了用戶如何安裝 auth 方法和祕密引擎的頁面, 支持在 K/V v2 機密引擎中管理關鍵版本控制, 以及主機的其餘更新, 以幫助確保 Vault 幾乎能夠徹底地從 Vault UI 中部署、初始化和管理。

1.0 是 Vault UI 團隊在過去幾個主要版本中大量工做的結晶。咱們將在即將發佈的博客文章中發佈一個深度介紹 ui 團隊的工做, 以及 Vault 以圖形方式配置和管理工做流的能力。

擴展的阿里雲集成

Vault 1.0 擴展了使用阿里雲和在阿里雲中操做 Vault 的功能。阿里雲 KMS 如今做爲 Seal-Wrap 和自動解封目標獲得支持, 阿里雲 Auth 方法如今是 Vault 代理中 Auto Auth 的支持接口。

GCP CKMS 祕密引擎

Vault 1.0 發佈了一個新的機密引擎, 用於管理 Google 雲平臺的雲密鑰管理系統中的加密操做。此接口容許在外部 GCP CKMS 系統中進行相似於傳輸的解密加密操做、密鑰建立和密鑰管理。

其餘功能

Vault 1.0 中有許多新功能是在 0.11. x 版本過程當中開發的。咱們總結了如下幾個較大的功能, 詳情可參考更改日誌：

• AWS 祕密引擎根證書旋轉：AWS 祕密引擎使用的證書如今能夠旋轉, 以確保只有 Vault 知道它所使用的證書。
• 存儲後端遷移：新的操做員遷移命令容許在兩個存儲後端之間脫機遷移數據。
• Transit Key 修剪：如今能夠修剪 Transit 祕密引擎中的密鑰, 以刪除舊的未使用密鑰版本。
• 複製速度改進 (Vault 企業版)：Vault 的複製系統已進行了大修, 以顯著提升性能。

升級詳細信息

Vault 1.0 引入了重要的新功能。所以, 咱們提供常規升級說明和 Vault 1.0 特定的升級頁面.

與往常同樣, 咱們建議在隔離環境中升級和測試此版本。若是您遇到任何問題, 請在 Vault GitHub 問題跟蹤器上報告或發佈到 Vault 郵件列表.

有關 HashiCorp Vault 企業的詳細信息, 請訪問www.hashicorp.com/products/va…。用戶能夠在www.vaultproject.io下載 Vault 的開源版本.

此外, 請查看 Vault 1.0 之旅。

咱們但願您喜歡 Vault 1.0!

【原文】HashiCorp Vault 1.0

DEC 04 2018 ANDY MANOSKE

Today we are excited to announce the public availability of HashiCorp Vault 1.0. Vault is a tool to manage secrets and protect sensitive data for any infrastructure and application.

Vault 1.0 is focused on renovating Vault's infrastructure to support high performance, scalable workloads. The 1.0 release of Vault includes significant new functionality including:

• Batch Tokens: A new type of token optimized for high performance, ephemeral workloads.
• Open Source Cloud Auto Unseal: Cloud-based auto unseal is now open source.
• OpenAPI Support: Vault now supports the OpenAPI standard.
• Expanded Alibaba Cloud Integration: Expanded support for running Vault on Alibaba Cloud environments.
• Updated UI: Significant updates to the Vault UI for better ease of use.
• GCP Cloud KMS Secrets Engine: Manage GCP CKMS keys from within Vault.

The release also includes additional new features, secure workflow enhancements, general improvements, and bug fixes. The Vault 1.0 changelog provides a full list of features, enhancements, and bug fixes.

Vault 1.0 is a major milestone for the Vault team and HashiCorp as a whole. Vault is the fourth HashiCorp project to reach 1.0, and where we are today is the result of nearly four years of hard work between HashiCorp and the broader open source community. We are immensely grateful to the community for their contributions. As always, thank you for all of your pull requests, ideas, bug reports, and support.

Batch Tokens

Batch tokens are a new type of token that support ephemeral, high performance workloads. These tokens do not write to disk, significantly reducing the performance cost of any operation within Vault.

As a trade off, batch tokens are not persistent and should not be used for any kind of long-lived or ongoing operation or any operation that requires resiliency of that token in the face of the failure or downtime of the Vault cluster.

The ephemeral nature of batch tokens makes them well suited for large batches of single-purpose operations such as use of the transit secret engine, but ill suited for operations such as persistent access for secrets within a K/V engine.

Open Source Cloud Auto Unseal

In Vault 1.0, we are open sourcing Cloud Auto Unseal, allowing for all users of Vault to leverage cloud services such as AWS KMS, Azure Key Vault, and GCP CKMS to manage the unseal process for Vault.

We decided to open source Cloud Auto Unseal to simplify the process of storing and reassembling Shamir's keys for all users. While we originally thought cloud auto-unseal was just an enterprise compliance need, we've realized in working with the community that auto-unseal is more for ease of use than compliance requirements.

It is important to note that HSM-based Auto Unseal (via the PKCS#11 standard) and Seal-Wrap will continue to remain features within Vault Enterprise. Both of these features are typically deployed to conform with government and regulatory compliance requirements, and thus are aligned with enterprise use cases.

OpenAPI

Vault 1.0 now supports the Open API Initiative's OpenAPI standard, joining a host of other major open source projects in providing a vendor-neutral description format for its API calls.

With the /sys/internal/specs/openapi endpoint, Vault can generate an OpenAPI v3 document that describes mounted backends and endpoint capabilities for a given token's permissions.

Updated UI

The releases leading up to 1.0 have seen significant updates to the Vault UI. These include wizards to help introduce new users to common Vault workflows for configuring Vault and storing secrets, updated screens for how users mount auth methods and secret engines, support for managing key versioning within the K/V v2 secrets engine, and a host of other updates to help ensure that Vault can almost completely be deployed, initialized, and managed from within the Vault UI.

1.0 is the culmination of a very significant amount of work from the Vault UI team over the last few major releases. We will publish a deep dive highlighting the UI team's work, and Vault's ability to be configured and manage workflows graphically, in an upcoming blog post.

Expanded Alibaba Cloud Integration

Vault 1.0 expands on features for operating Vault with and within Alibaba Cloud. Alibaba Cloud KMS is now supported as a Seal-Wrap and Auto Unseal target, and the Alibaba Cloud Auth Method is now a supported interface for Auto Auth within Vault Agent.

GCP CKMS Secret Engine

Vault 1.0 sees the release of a new secrets engine for managing cryptographic operations within Google Cloud Platform's Cloud Key Management System. This interface allows for transit-like decrypt/encrypt operations, key creation, and key management within external GCP CKMS systems.

Other Features

There are many new features in Vault 1.0 that have been developed over the course of the 0.11.x releases. We have summarized a few of the larger features below, and as always consult the changelog for full details:

• AWS Secret Engine Root Credential Rotation: The credential used by the AWS secret engine can now be rotated, to ensure that only Vault knows the credentials it is using.
• Storage Backend Migrator: A new operator migrate command allows offline migration of data between two storage backends.
• Transit Key Trimming: Keys in transit secret engine can now be trimmed to remove older unused key versions.
• Replication Speed Improvements (Vault Enterprise): Vault's replication system has been overhauled to dramatically improve performance.

Upgrade Details

Vault 1.0 introduces significant new functionality. As such, we provide both general upgrade instructions and a Vault 1.0-specific upgrade page.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Vault GitHub issue tracker or post to the Vault mailing list.

For more information about HashiCorp Vault Enterprise, visit www.hashicorp.com/products/va…. Users can download the open source version of Vault at www.vaultproject.io.

Also, check out the Journey to Vault 1.0 by Armon.

We hope you enjoy Vault 1.0!