GaLeon - Fotolia
A new release of HashiCorp's Vault secrets manager this week boosts the value of its Enterprise version for paying customers with a new data encryption engine that supports data masking, among other updates.
HashiCorp Vault is widely used by enterprises in Kubernetes clusters and other cloud-native application environments to centrally manage secrets, namely information used to authenticate users and authorize their access to data systems in increasingly complex distributed environments.
Vault stores, transmits and periodically updates secrets data, automatically routes requests through data encryption key management systems and acts as a manager of managers among diverse cloud security systems.
HashiCorp Vault Enterprise lost one of its key differentiators in 2018 when the company made the auto-unseal feature -- which sets up and tears down the HashiCorp Vault software without manual intervention -- part of the free open source version.
"It's a question a lot of open source companies face -- Where is the line between what they're offering for free in the community, as opposed to what they're trying to sell as a product?" said Chris Steffen, analyst at Enterprise Management Associates in Boulder, Colo.
Since opening the auto-seal feature to free use in version 1.0 two years ago, however, HashiCorp has steadily added in other features exclusive to Vault Enterprise, such as the ability to act as a Key Management Interoperability Protocol (KMIP) Server for client requests from third-party encryption systems with version 1.2 in 2019.
Now, version 1.4 of the secrets manager adds a new version of the engine HashiCorp Vault uses to transmit data between systems in the form of an Advanced Data Protection Module for Vault Enterprise called the Transform Secrets Engine. The engine, an alternative to the base Vault Transmit Engine, supports data masking and other kinds of data transformation for compliance-conscious IT shops.
Chris SteffenAnalyst, Enterprise Management Associates
Vault will not replace data-masking systems, as it won't store anonymized and redacted data, but it will support the transmission of masked data that must match its original pattern to be accepted by other systems. Such processes are often necessary in environments compliant with HIPAA and PCI regulations.
"The Transform Engine supports both one-way masking and two-way transformation for data protection, which sets Vault Enterprise apart in the market," Steffen said. "It can offer Enterprise users more visibility into their protected data."
Other additions to Vault Enterprise in version 1.4 include a new disaster recovery workflow. In the past, the tool required a quorum, or minimum number, of recovery and Vault unseal keys to be activated to promote a secondary Vault master to primary for failover. Achieving that quorum could delay failover and recovery significantly, so version 1.4 allows secondary masters to be promoted automatically. Vault Enterprise also now has its own Kubernetes Helm chart for automatic installation of the secrets management software on Kubernetes clusters.
HashiCorp Vault 1.4 broadens secrets management storage options
HashiCorp Vault 1.4 promoted integrated storage support from beta to general availability for both open source and Enterprise users, which means they have the option of using internal storage on Vault server clusters rather than an external storage system, as was previously required.
Integrated storage, which has been in beta since version 1.2, is a highly anticipated update among Vault users, Steffen said.
"It's something that's been long awaited among HashiCorp's devoted audience -- it's been in beta for a while and people have been using it successfully for a while," he said. Large enterprise customers are accustomed to using external storage systems, but "not everyone wants to have to manage additional storage back ends -- they want to manage Vault all in one place."
HashiCorp Vault 1.4 open source and Enterprise versions both get support for Open LDAP and Kerberos identity and access management systems, as well as MongoDB Atlas and the Amazon Redshift database secrets engine, which brokers access for BI systems to the AWS data warehouse. Both versions also now support the Kubernetes Service Registry, which means Vault can route secrets management requests to specific nodes in the Kubernetes cluster based on pod metadata.
HashiCorp Vault has few major direct competitors so far -- it acts as an umbrella manager of managers among vendor-specific identity and secrets management systems such as Google Cloud Secret Manager and AWS Secrets Manager. Other tools such as Sophos and BitLocker have some similar features, but don't match all of what Vault offers.
Vault's ubiquity in the Kubernetes world, especially, has prompted speculation in the past that HashiCorp could be a ripe acquisition target for a larger IT vendor, but a recent $175 million funding round on a $5 billion company valuation has put acquisition rumors to rest for now.
"My guess is that they'll have an IPO before they're acquired," Steffen said. "It seems HashiCorp is around to stay for a while."