hashicorp · hc-github-team-secure-vault-core · Jan 29, 2025 · Nov 25, 2024
@@ -235,4 +235,5 @@ more details, and information about opt-out.
 
 @include 'known-issues/manual-entity-merge-does-not-persist.mdx'
 
+@include 'known-issues/duplicate-hsm-key.mdx'
 
@@ -200,4 +200,10 @@ more details, and information about opt-out.
 
 @include 'known-issues/manual-entity-merge-does-not-persist.mdx'
 
-@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx'
+@include 'known-issues/1_17_secrets-sync-ssrf-private-endpoints.mdx'
+
+@include 'known-issues/aws-auth-external-id.mdx'
+
+@include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
+
+@include 'known-issues/duplicate-hsm-key.mdx'
@@ -138,3 +138,7 @@ reports if manual reporting is preferred.
 
 See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for
 more details, and information about opt-out.
+
+## Known issues and workarounds
+
+@include 'known-issues/duplicate-hsm-key.mdx'
@@ -0,0 +1,47 @@
+---
+layout: docs
+page_title: Upgrade to Vault 1.19.x - Guides
+description: |-
+  Deprecations, important or breaking changes, and remediation recommendations
+  for anyone upgrading to 1.19.x from Vault 1.18.x.
+---
+
+# Overview
+
+The Vault 1.19.x upgrade guide contains information on deprecations, important
+or breaking changes, and remediation recommendations for anyone upgrading from
+Vault 1.18. **Please read carefully**.
+
+## Important changes
+
+### Transit support for Ed25519ph and Ed25519ctx signatures
+
+**NOTE**: This only applies to Transit Ed25519 keys.
+
+On prior versions of Vault, when the sign and verify API endpoints backed by an Ed25519
+key received the prehashed=true or the hash_algorithm=sha2-512 parameters they were ignored,
+returning back or verifying a Pure Ed25519 signature. As of 1.19.x, setting these values
+on Enterprise editions of Vault will now return an Ed25519ph signature and assume the
+input has been hashed using the SHA-512 algorithm.
+
+If neither prehashed nor hash_algorithm values are provided, the existing default of using
+Pure Ed25519 signatures remains unchanged for both Enterprise and CE Vault editions. The change
+is if those values had been overridden they were previously ignored but now will be enforced
+based on the table below.
+
+| Vault Edition | prehashed | hash_algorithm                | 1.19.x Signature                           | Previous Vault Versions Signature |
+|:--------------|:----------|:------------------------------|:-------------------------------------------|:----------------------------------|
+| Enterprise    | not set   | not set                       | Pure Ed25519                               | Pure Ed25519                      |
+| Enterprise    | false     | any value other than sha2-512 | Pure Ed25519                               | Pure Ed25519                      |
+| Enterprise    | false     | sha2-512                      | An error is returned                       | Pure Ed25519                      |
+| Enterprise    | true      | any value other than sha2-512 | An error is returned                       | Pure Ed25519                      |
+| Enterprise    | true      | sha2-512                      | Ed25519ph                                  | Pure Ed25519                      |
+| CE            | not set   | not set                       | Pure Ed25519                               | Pure Ed25519                      |
+| CE            | false     | any value other than sha2-512 | Pure Ed25519                               | Pure Ed25519                      |
+| CE            | false     | sha2-512                      | An error is returned                       | Pure Ed25519                      |
+| CE            | true      | any value other than sha2-512 | An error is returned                       | Pure Ed25519                      |
+| CE            | true      | sha2-512                      | An error is returned (not supported on CE) | Pure Ed25519                      |
+
+## Known issues and workarounds
+
+@include 'known-issues/duplicate-hsm-key.mdx'
@@ -0,0 +1,13 @@
+### Seal/Seal Wrapped - Duplicate HSM Keys
+
+#### Affected Versions
+- All versions that support migration from Shamir to HSM-backed unseal/seal wrap in HSM-HA configurations.
+
+#### Issue
+During a migration from Shamir to an HSM-backed unseal configuration with HSM - High Availability (HA), duplicate HSM keys may be created.
+These issues can occur even after a seal migration to HSM that initially appeared successful. The root cause is under investigation, with potential links to key handling during HA configuration or migration processes.
+- Unseal failures: Nodes may fail to unseal after a restart, with errors such as CKR_DATA_INVALID.
+- Duplicate HSM keys: These may be created, resulting in intermittent read failures with errors such as CKR_SIGNATURE_INVALID and CKR_KEY_HANDLE_INVALID for any seal wrapped value - see /vault/docs/enterprise/sealwrap#wrapped-parameters.
+
+#### Workaround
+As a workaround, always run Vault with `generate_key = false`, creating the required keys within the HSM manually during the setup process.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -235,4 +235,5 @@ more details, and information about opt-out.

		@include 'known-issues/manual-entity-merge-does-not-persist.mdx'

		@include 'known-issues/duplicate-hsm-key.mdx'