Downloads:

43,272

Downloads of v 0.6.1:

367

Last Update:

30 Aug 2016

Package Maintainer(s):

Software Author(s):

  • Mitchell Hashimoto
  • HashiCorp

Tags:

vault

Vault

This is not the latest version of Vault available.

0.6.1 | Updated: 30 Aug 2016

Downloads:

43,272

Downloads of v 0.6.1:

367

Maintainer(s):

Software Author(s):

  • Mitchell Hashimoto
  • HashiCorp

Tags:

vault

Vault 0.6.1

This is not the latest version of Vault available.

All Checks are Passing

2 Passing Test


Validation Testing Passed


Verification Testing Passed

Details

To install Vault, run the following command from the command line or from PowerShell:

>

To upgrade Vault, run the following command from the command line or from PowerShell:

>

To uninstall Vault, run the following command from the command line or from PowerShell:

>

NOTE: This applies to both open source and commercial editions of Chocolatey.

1. Ensure you are set for organizational deployment

Please see the organizational deployment guide

  • Open Source or Commercial:
    • Proxy Repository - Create a proxy nuget repository on Nexus, Artifactory Pro, or a proxy Chocolatey repository on ProGet. Point your upstream to https://chocolatey.org/api/v2. Packages cache on first access automatically. Make sure your choco clients are using your proxy repository as a source and NOT the default community repository. See source command for more information.
    • You can also just download the package and push it to a repository Download

3. Enter your internal repository url

(this should look similar to https://chocolatey.org/api/v2)

4. Choose your deployment method:


choco upgrade vault -y --source="'STEP 3 URL'" [other options]

See options you can pass to upgrade.

See best practices for scripting.

Add this to a PowerShell script or use a Batch script with tools and in places where you are calling directly to Chocolatey. If you are integrating, keep in mind enhanced exit codes.

If you do use a PowerShell script, use the following to ensure bad exit codes are shown as failures:


choco upgrade vault -y --source="'STEP 3 URL'"
$exitCode = $LASTEXITCODE

Write-Verbose "Exit code was $exitCode"
$validExitCodes = @(0, 1605, 1614, 1641, 3010)
if ($validExitCodes -contains $exitCode) {
  Exit 0
}

Exit $exitCode

- name: Ensure vault installed
  win_chocolatey:
    name: vault
    state: present
    version: 0.6.1
    source: STEP 3 URL

See docs at https://docs.ansible.com/ansible/latest/modules/win_chocolatey_module.html.

Coming early 2020! Central Managment Reporting available now! More information...


chocolatey_package 'vault' do
  action    :install
  version  '0.6.1'
  source   'STEP 3 URL'
end

See docs at https://docs.chef.io/resource_chocolatey_package.html.


Chocolatey::Ensure-Package
(
    Name: vault,
    Version: 0.6.1,
    Source: STEP 3 URL
);

Requires Otter Chocolatey Extension. See docs at https://inedo.com/den/otter/chocolatey.


cChocoPackageInstaller vault
{
   Name     = 'vault'
   Ensure   = 'Present'
   Version  = '0.6.1'
   Source   = 'STEP 3 URL'
}

Requires cChoco DSC Resource. See docs at https://github.com/chocolatey/cChoco.


package { 'vault':
  provider => 'chocolatey',
  ensure   => '0.6.1',
  source   => 'STEP 3 URL',
}

Requires Puppet Chocolatey Provider module. See docs at https://forge.puppet.com/puppetlabs/chocolatey.


salt '*' chocolatey.install vault version="0.6.1" source="STEP 3 URL"

See docs at https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.chocolatey.html.

5. If applicable - Chocolatey configuration/installation

See infrastructure management matrix for Chocolatey configuration elements and examples.

Private CDN cached downloads available for licensed customers. Never experience 404 breakages again! Learn more...

This package was approved by moderator ferventcoder on 01 Sep 2016.

Description

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.

The key features of Vault are:

  • Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
  • Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.
  • Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
  • Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

For more information, see the introduction section of the Vault website.


tools\chocolateyInstall.ps1
$checksum = '8faf63bff47a6a8ba0287b2ff1b462baf0ec9319b450c2e6b5b5f8950a9e2e1c'
$checksum64 = '53df96e47f67096f408b5f003641671a01170c88c85058771ef46f880b61b5dc'
$url = 'https://releases.hashicorp.com/vault/0.6.1/vault_0.6.1_windows_386.zip'
$url64bit = 'https://releases.hashicorp.com/vault/0.6.1/vault_0.6.1_windows_amd64.zip'
$unzipLocation = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"

Install-ChocolateyZipPackage -PackageName "vault" -Url "$url" -UnzipLocation "$unzipLocation" -Url64 "$url64bit" -ChecksumType 'sha256' -Checksum "$checksum" -Checksum64 "$checksum64"

Log in or click on link to see number of positives.

In cases where actual malware is found, the packages are subject to removal. Software sometimes has false positives. Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).

Chocolatey Pro provides runtime protection from possible malware.

Version Downloads Last Updated Status
Vault 1.6.1 613 Thursday, January 21, 2021 Approved
Vault 1.5.5 3174 Friday, October 23, 2020 Approved
Vault 1.5.4 1465 Thursday, October 22, 2020 Approved
Vault 1.5.3 176 Thursday, October 22, 2020 Approved
Vault 1.5.2 2209 Wednesday, August 26, 2020 Approved
Vault 1.5.0 1489 Wednesday, July 22, 2020 Approved
Vault 1.4.3 784 Friday, July 3, 2020 Approved
Vault 1.4.1 1627 Monday, May 4, 2020 Approved
Vault 1.4.0 1267 Thursday, April 9, 2020 Approved

0.6.1 (August 22, 2016)

DEPRECATIONS/BREAKING CHANGES:

  • Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to
    connect to the HA cluster. We recommend following our general upgrade
    instructions
    in
    addition to 0.6.1-specific upgrade instructions to ensure that this is not
    an issue.
  • Status codes for sealed/uninitialized Vaults have changed to 503/501
    respectively. See the version-specific upgrade
    guide
    for
    more details.
  • Root tokens (tokens with the root policy) can no longer be created except
    by another root token or the generate-root endpoint.
  • Issued certificates from the pki backend against new roles created or
    modified after upgrading will contain a set of default key usages.
  • The dynamodb physical data store no longer supports HA by default. It has
    some non-ideal behavior around failover that was causing confusion. See the
    documentation
    for information on enabling HA mode. It is very important that this
    configuration is added before upgrading.
  • The ldap backend no longer searches for memberOf groups as part of its
    normal flow. Instead, the desired group filter must be specified. This fixes
    some errors and increases speed for directories with different structures,
    but if this behavior has been relied upon, ensure that you see the upgrade
    notes before upgrading.
  • app-id is now deprecated with the addition of the new AppRole backend.
    There are no plans to remove it, but we encourage using AppRole whenever
    possible, as it offers enhanced functionality and can accommodate many more
    types of authentication paradigms.

FEATURES:

  • AppRole Authentication Backend: The approle backend is a
    machine-oriented authentication backend that provides a similar concept to
    App-ID while adding many missing features, including a pull model that
    allows for the backend to generate authentication credentials rather than
    requiring operators or other systems to push credentials in. It should be
    useful in many more situations than App-ID. The inclusion of this backend
    deprecates App-ID. [GH-1426]
  • Request Forwarding: Vault servers can now forward requests to each other
    rather than redirecting clients. This feature is off by default in 0.6.1 but
    will be on by default in the next release. See the HA concepts
    page
    for information on
    enabling and configuring it. [GH-443]
  • Convergent Encryption in Transit: The transit backend now supports a
    convergent encryption mode where the same plaintext will produce the same
    ciphertext. Although very useful in some situations, this has potential
    security implications, which are mostly mitigated by requiring the use of
    key derivation when convergent encryption is enabled. See the transit
    backend
    documentation

    for more details. [GH-1537]
  • Improved LDAP Group Filters: The ldap auth backend now uses templates
    to define group filters, providing the capability to support some
    directories that could not easily be supported before (especially specific
    Active Directory setups with nested groups). [GH-1388]
  • Key Usage Control in PKI: Issued certificates from roles created or
    modified after upgrading contain a set of default key usages for increased
    compatibility with OpenVPN and some other software. This set can be changed
    when writing a role definition. Existing roles are unaffected. [GH-1552]
  • Request Retrying in the CLI and Go API: Requests that fail with a 5xx
    error code will now retry after a backoff. The maximum total number of
    retries (including disabling this functionality) can be set with an
    environment variable. See the environment variable
    documentation

    for more details. [GH-1594]
  • Service Discovery in vault init: The new -auto option on vault init
    will perform service discovery using Consul. When only one node is discovered,
    it will be initialized and when more than one node is discovered, they will
    be output for easy selection. See vault init --help for more details. [GH-1642]
  • MongoDB Secret Backend: Generate dynamic unique MongoDB database
    credentials based on configured roles. Sponsored by
    CommerceHub. [GH-1414]
  • Circonus Metrics Integration: Vault can now send metrics to
    Circonus. See the configuration
    documentation
    for
    details. [GH-1646]

IMPROVEMENTS:

  • audit: Added a unique identifier to each request which will also be found in
    the request portion of the response. [GH-1650]
  • auth/aws-ec2: Added a new constraint bound_account_id to the role
    [GH-1523]
  • auth/aws-ec2: Added a new constraint bound_iam_role_arn to the role
    [GH-1522]
  • auth/aws-ec2: Added ttl field for the role [GH-1703]
  • auth/ldap, secret/cassandra, physical/consul: Clients with tls.Config
    have the minimum TLS version set to 1.2 by default. This is configurable.
  • auth/token: Added endpoint to list accessors [GH-1676]
  • auth/token: Added disallowed_policies option to token store roles [GH-1681]
  • auth/token: root or sudo tokens can now create periodic tokens via
    auth/token/create; additionally, the same token can now be periodic and
    have an explicit max TTL [GH-1725]
  • build: Add support for building on Solaris/Illumos [GH-1726]
  • cli: Output formatting in the presence of warnings in the response object
    [GH-1533]
  • cli: vault auth command supports a -path option to take in the path at
    which the auth backend is enabled, thereby allowing authenticating against
    different paths using the command options [GH-1532]
  • cli: vault auth -methods will now display the config settings of the mount
    [GH-1531]
  • cli: vault read/write/unwrap -field now allows selecting token response
    fields [GH-1567]
  • cli: vault write -field now allows selecting wrapped response fields
    [GH-1567]
  • command/status: Version information and cluster details added to the output
    of vault status command [GH-1671]
  • core: Response wrapping is now enabled for login endpoints [GH-1588]
  • core: The duration of leadership is now exported via events through
    telemetry [GH-1625]
  • core: sys/capabilities-self is now accessible as part of the default
    policy [GH-1695]
  • core: sys/renew is now accessible as part of the default policy [GH-1701]
  • core: Unseal keys will now be returned in both hex and base64 forms, and
    either can be used [GH-1734]
  • core: Responses from most /sys endpoints now return normal api.Secret
    structs in addition to the values they carried before. This means that
    response wrapping can now be used with most authenticated /sys operations
    [GH-1699]
  • physical/etcd: Support ETCD_ADDR env var for specifying addresses [GH-1576]
  • physical/consul: Allowing additional tags to be added to Consul service
    registration via service_tags option [GH-1643]
  • secret/aws: Listing of roles is supported now [GH-1546]
  • secret/cassandra: Add connect_timeout value for Cassandra connection
    configuration [GH-1581]
  • secret/mssql,mysql,postgresql: Reading of connection settings is supported
    in all the sql backends [GH-1515]
  • secret/mysql: Added optional maximum idle connections value to MySQL
    connection configuration [GH-1635]
  • secret/mysql: Use a combination of the role name and token display name in
    generated user names and allow the length to be controlled [GH-1604]
  • secret/{cassandra,mssql,mysql,postgresql}: SQL statements can now be passed
    in via one of four ways: a semicolon-delimited string, a base64-delimited
    string, a serialized JSON string array, or a base64-encoded serialized JSON
    string array [GH-1686]
  • secret/ssh: Added allowed_roles to vault-ssh-helper's config and returning
    role name as part of response of verify API
  • secret/ssh: Added passthrough of command line arguments to ssh [GH-1680]
  • sys/health: Added version information to the response of health status
    endpoint [GH-1647]
  • sys/health: Cluster information isbe returned as part of health status when
    Vault is unsealed [GH-1671]
  • sys/mounts: MountTable data is compressed before serializing to accommodate
    thousands of mounts [GH-1693]
  • website: The token
    concepts
    page has
    been completely rewritten [GH-1725]

BUG FIXES:

  • auth/aws-ec2: Added a nil check for stored whitelist identity object
    during renewal [GH-1542]
  • auth/cert: Fix panic if no client certificate is supplied [GH-1637]
  • auth/token: Don't report that a non-expiring root token is renewable, as
    attempting to renew it results in an error [GH-1692]
  • cli: Don't retry a command when a redirection is received [GH-1724]
  • core: Fix regression causing status codes to be 400 in most non-5xx error
    cases [GH-1553]
  • core: Fix panic that could occur during a leadership transition [GH-1627]
  • physical/postgres: Remove use of prepared statements as this causes
    connection multiplexing software to break [GH-1548]
  • physical/consul: Multiple Vault nodes on the same machine leading to check ID
    collisions were resulting in incorrect health check responses [GH-1628]
  • physical/consul: Fix deregistration of health checks on exit [GH-1678]
  • secret/postgresql: Check for existence of role before attempting deletion
    [GH-1575]
  • secret/postgresql: Handle revoking roles that have privileges on sequences
    [GH-1573]
  • secret/postgresql(,mysql,mssql): Fix incorrect use of database over
    transaction object which could lead to connection exhaustion [GH-1572]
  • secret/pki: Fix parsing CA bundle containing trailing whitespace [GH-1634]
  • secret/pki: Fix adding email addresses as SANs [GH-1688]
  • secret/pki: Ensure that CRL values are always UTC, per RFC [GH-1727]
  • sys/seal-status: Fixed nil Cluster object while checking seal status [GH-1715]

Previous Releases

For more information on previous releases, check out the changelog on GitHub.


This package has no dependencies.

Discussion for the Vault Package

Ground Rules:

  • This discussion is only about Vault and the Vault package. If you have feedback for Chocolatey, please contact the Google Group.
  • This discussion will carry over multiple versions. If you have a comment about a particular version, please note that in your comments.
  • The maintainers of this Chocolatey Package will be notified about new comments that are posted to this Disqus thread, however, it is NOT a guarantee that you will get a response. If you do not hear back from the maintainers after posting a message below, please follow up by using the link on the left side of this page or follow this link to contact maintainers. If you still hear nothing back, please follow the package triage process.
  • Tell us what you love about the package or Vault, or tell us what needs improvement.
  • Share your experiences with the package, or extra configuration or gotchas that you've found.
  • If you use a url, the comment will be flagged for moderation until you've been whitelisted. Disqus moderated comments are approved on a weekly schedule if not sooner. It could take between 1-5 days for your comment to show up.
comments powered by Disqus