HashiCorp released its Vault Enterprise 0.7 update on March 21, providing organizations with new capabilities to help securely manage application secrets across a distributed platform.
Secrets in an enterprise security context refers to application tokens, passwords and user access, as well as privileged account management. It is not generally considered safe for organizations to embed access passwords in applications, but rather an emerging best practice is to use a secret management technology, like Vault, to safely secure and inject passwords into applications as needed.
The open-source Vault project was first launched by HashiCorp in May 2015 and the first Vault Enterprise release debuted in September 2016. In the Vault Enterprise 0.7 update, the key focus is on improved availability of the secrets management platform.
“Data center replication is the big tent pole feature for Vault Enterprise 0.7,” Armon Dadgar, co-founder and CTO of HashiCorp, told eWEEK.
Vault Enterprise is a superset of features that are contained in the open-source Vault project. Dadgar noted that the data center replication capability is only in the enterprise release. Dadgar explained that the big concern that large enterprises have with secrets management is availability.
Often with distributed replication technologies, consistency is prioritized over availability, but that’s not the case with Vault Enterprise.
“We have a custom replication scheme that makes sure that the availability of the system is never sacrificed,” Dadgar said. “So they might not be able to rotate encryption keys if there is connectivity failure, but they’ll be able to continue to use the keys they already have.”
Dadgar explained that the Vault Enterprise system makes use of a primary/secondary model, where the primary node is considered to be authoritative. For a disconnected branch, the organization will still be able to use existing secrets, but since they aren’t connected to a primary node, they won’t be able to modify or create any new secrets.
Protecting Containers
Among the many different use-cases for Vault is within container deployments. Aqua Security announced an integration with Vault in February 2017 for container deployments. Docker currently has its own secrets management technology that is directly integrated into the Docker container platform. Dadgar said that HachiCorp is trying to solve the broad challenge of secrets management and the goal is for it to be able to work in any type of environment.
“Vault is really trying to solve the secrets management project in a technology agnostic way,” Dadgar said.
However, Dadgar noted that HashiCorp has been working directly with leading developers in the open-source Kubernetes project to help provide an integrated experience.
“We want to work with everyone that is working to solve the last-mile challenges for secrets management,” Dadgar said.
Though Vault is not currently at a 1.0 release, Dadgar emphasized that HashiCorp already provides backwards compatibility and stability. Typically with an open-source project, the 1.0 milestone is the first release that is considered to be fully stable and backwards compatible.
“We have been backwards compatible since version 0.1, so even if you have an app written against the first version of vault it will still work with Vault 0.7,” Dadgar said. “We take backwards compatibility very seriously and don’t think of it as a 1.0 thing.”