HashiCorp Vault Brings Disaster Recovery to Secrets Management

The latest update of the Vault platform adds new disaster recovery and multi-factor authentication capabilities to the distributed secrets management platform.

HashiCorp Vault

HashiCorp has released new versions of both its open-source and enterprise editions of its Vault secrets management platform, providing new scalability and security operations capabilities.

Vault helps organizations securely store and access application tokens, passwords and authentication credentials, which collectively are commonly referred to as "secrets" in an information security context.

The open-source Vault project was launched by HashiCorp in May 2015, and the first Vault Enterprise release debuted in September 2016. Armon Dadgar, co-founder and CTO of HashiCorp, said the new Vault 0.8 update improves on the data center replication capabilities that HashiCorp debuted in the Vault 0.7 release in March 2017.

"The Vault 0.7 release was the first time we introduced multi-data center replication capabilities, and with 0.8 we're expanding on that in multiple ways," Dadgar told eWEEK.

In Vault 0.7, the replication was "all or nothing," replicating an entire system to a secondary site, according to Dadgar. Based on client feedback, Vault 0.8 now has what HashiCorp calls mount filtered replication that enables users to selectively filter what information can be replicated. Mount filtered replication is important for data governance and compliance requirements, since not all data can be replicated or moved to an arbitrary secondary location, he said.

The Vault 0.8 enterprise release also benefits from a new disaster recovery (DR) mode that enables organizations to rapidly recover and fail over to a secondary Vault deployment in the event of failure. Dadgar said the DR feature is not for long-haul multi-data center replication, but rather for enabling multiple availability zones and high availability in a local area.

HashiCorp also added a new multi-factor authentication (MFA) capability to the Vault Enterprise edition. Enterprises can now govern access to secrets that have MFA requirements.

"MFA is designed to support a number of different types of provider standards," Dadgar said. "At launch we will only support Duo, Okta and TOTP [Time-base One-Time Password]; however, we intend to expand upon this functionality going forward."

The enterprise edition of Vault provides enhanced capabilities for paying customers and is a superset of features that are contained in the open-source Vault project. Among the updates in the open-source Vault 0.8 release is a new secure plug-in model that expands the base of different endpoints that can be managed.

A limiting factor for HashiCorp's ability to expand Vault to cover all the different use cases has been the fact that different applications tend to require additional development effort in order to be supported. With Vault 0.8, HashiCorp is introducing a new secure plug-in model that enables organizations and developers to more easily integrate Vault with different authentication back ends.

"Rather than just be for Window logins or AWS [Amazon Web Services], we want Vault to be the central gatekeeper so organizations can have one set of policies and access control to manage everything, whether it's an Oracle database, an Amazon cloud, SAP or a customized system," Dadgar said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.