diff --git a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx index 11ca5ae75d34..88fa223eba51 100644 --- a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx @@ -235,4 +235,5 @@ more details, and information about opt-out. @include 'known-issues/manual-entity-merge-does-not-persist.mdx' +@include 'known-issues/duplicate-hsm-key.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx index b034b6b36280..bb9b7a20d2f6 100644 --- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx @@ -200,4 +200,10 @@ more details, and information about opt-out. @include 'known-issues/manual-entity-merge-does-not-persist.mdx' -@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx' \ No newline at end of file +@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx' + +@include 'known-issues/aws-auth-external-id.mdx' + +@include 'known-issues/sync-activation-flags-cache-not-updated.mdx' + +@include 'known-issues/duplicate-hsm-key.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.18.x.mdx b/website/content/docs/upgrading/upgrade-to-1.18.x.mdx index 7a43e8ec0096..f00c4048dd81 100644 --- a/website/content/docs/upgrading/upgrade-to-1.18.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.18.x.mdx @@ -138,3 +138,7 @@ reports if manual reporting is preferred. See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for more details, and information about opt-out. + +## Known issues and workarounds + +@include 'known-issues/duplicate-hsm-key.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.19.x.mdx b/website/content/docs/upgrading/upgrade-to-1.19.x.mdx new file mode 100644 index 000000000000..313d4e993ffc --- /dev/null +++ b/website/content/docs/upgrading/upgrade-to-1.19.x.mdx @@ -0,0 +1,47 @@ +--- +layout: docs +page_title: Upgrade to Vault 1.19.x - Guides +description: |- + Deprecations, important or breaking changes, and remediation recommendations + for anyone upgrading to 1.19.x from Vault 1.18.x. +--- + +# Overview + +The Vault 1.19.x upgrade guide contains information on deprecations, important +or breaking changes, and remediation recommendations for anyone upgrading from +Vault 1.18. **Please read carefully**. + +## Important changes + +### Transit support for Ed25519ph and Ed25519ctx signatures + +**NOTE**: This only applies to Transit Ed25519 keys. + +On prior versions of Vault, when the sign and verify API endpoints backed by an Ed25519 +key received the prehashed=true or the hash_algorithm=sha2-512 parameters they were ignored, +returning back or verifying a Pure Ed25519 signature. As of 1.19.x, setting these values +on Enterprise editions of Vault will now return an Ed25519ph signature and assume the +input has been hashed using the SHA-512 algorithm. + +If neither prehashed nor hash_algorithm values are provided, the existing default of using +Pure Ed25519 signatures remains unchanged for both Enterprise and CE Vault editions. The change +is if those values had been overridden they were previously ignored but now will be enforced +based on the table below. + +| Vault Edition | prehashed | hash_algorithm | 1.19.x Signature | Previous Vault Versions Signature | +|:--------------|:----------|:------------------------------|:-------------------------------------------|:----------------------------------| +| Enterprise | not set | not set | Pure Ed25519 | Pure Ed25519 | +| Enterprise | false | any value other than sha2-512 | Pure Ed25519 | Pure Ed25519 | +| Enterprise | false | sha2-512 | An error is returned | Pure Ed25519 | +| Enterprise | true | any value other than sha2-512 | An error is returned | Pure Ed25519 | +| Enterprise | true | sha2-512 | Ed25519ph | Pure Ed25519 | +| CE | not set | not set | Pure Ed25519 | Pure Ed25519 | +| CE | false | any value other than sha2-512 | Pure Ed25519 | Pure Ed25519 | +| CE | false | sha2-512 | An error is returned | Pure Ed25519 | +| CE | true | any value other than sha2-512 | An error is returned | Pure Ed25519 | +| CE | true | sha2-512 | An error is returned (not supported on CE) | Pure Ed25519 | + +## Known issues and workarounds + +@include 'known-issues/duplicate-hsm-key.mdx' diff --git a/website/content/partials/known-issues/duplicate-hsm-key.mdx b/website/content/partials/known-issues/duplicate-hsm-key.mdx new file mode 100644 index 000000000000..89e1049760f5 --- /dev/null +++ b/website/content/partials/known-issues/duplicate-hsm-key.mdx @@ -0,0 +1,13 @@ +### Seal/Seal Wrapped - Duplicate HSM Keys + +#### Affected Versions +- All versions that support migration from Shamir to HSM-backed unseal/seal wrap in HSM-HA configurations. + +#### Issue +During a migration from Shamir to an HSM-backed unseal configuration with HSM - High Availability (HA), duplicate HSM keys may be created. +These issues can occur even after a seal migration to HSM that initially appeared successful. The root cause is under investigation, with potential links to key handling during HA configuration or migration processes. +- Unseal failures: Nodes may fail to unseal after a restart, with errors such as CKR_DATA_INVALID. +- Duplicate HSM keys: These may be created, resulting in intermittent read failures with errors such as CKR_SIGNATURE_INVALID and CKR_KEY_HANDLE_INVALID for any seal wrapped value - see /vault/docs/enterprise/sealwrap#wrapped-parameters. + +#### Workaround +As a workaround, always run Vault with `generate_key = false`, creating the required keys within the HSM manually during the setup process.