From 712934a15fd839056ec1814d54c214101ecc308d Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:43:18 -0400 Subject: [PATCH] backport of commit 3b153526e1d57f4d04a274541f3e748a07104f29 (#19553) Co-authored-by: Scott Miller --- .../content/docs/upgrading/upgrade-to-1.10.x.mdx | 2 ++ .../content/docs/upgrading/upgrade-to-1.11.x.mdx | 2 ++ .../content/docs/upgrading/upgrade-to-1.12.x.mdx | 2 ++ .../content/docs/upgrading/upgrade-to-1.13.x.mdx | 3 +++ .../partials/tokenization-rotation-persistence.mdx | 14 ++++++++++++++ 5 files changed, 23 insertions(+) create mode 100644 website/content/partials/tokenization-rotation-persistence.mdx diff --git a/website/content/docs/upgrading/upgrade-to-1.10.x.mdx b/website/content/docs/upgrading/upgrade-to-1.10.x.mdx index e5b941f951a6..15dd4db04477 100644 --- a/website/content/docs/upgrading/upgrade-to-1.10.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.10.x.mdx @@ -91,6 +91,8 @@ to understand how the built-in resources are used in the system. @include 'raft-panic-old-tls-key.mdx' +@include 'tokenization-rotation-persistence.mdx' + ### Errors returned by perf standbys lagging behind active node with Consul storage The introduction of [Server Side Consistent Tokens](/vault/docs/faq/ssct) means that diff --git a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx index 3f0400390661..e9d70c358993 100644 --- a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx @@ -26,3 +26,5 @@ API path by setting the [bool config option](/vault/api-docs/secret/databases/el ## Known Issues @include 'raft-retry-join-failure.mdx' + +@include 'tokenization-rotation-persistence.mdx' \ No newline at end of file diff --git a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx index f36f575875ec..13b716f17d88 100644 --- a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx @@ -180,3 +180,5 @@ As a workaround, OCSP POST requests can be used which are unaffected. #### Impacted Versions Affects version 1.12.3. A fix will be released in 1.12.4. + +@include 'tokenization-rotation-persistence.mdx' diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx index b66a1d2530c7..bdef4b5eea5c 100644 --- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx @@ -29,3 +29,6 @@ The AliCloud auth plugin will now require the `role` parameter on login. This has always been documented as a required field but the requirement will now be enforced. +## Known Issues + +@include 'tokenization-rotation-persistence.mdx' \ No newline at end of file diff --git a/website/content/partials/tokenization-rotation-persistence.mdx b/website/content/partials/tokenization-rotation-persistence.mdx new file mode 100644 index 000000000000..25fca2906c56 --- /dev/null +++ b/website/content/partials/tokenization-rotation-persistence.mdx @@ -0,0 +1,14 @@ +### Rotation configuration persistence issue could lose Transform Tokenization key versions + +A rotation performed manually or via automatic time based rotation after +restarting or leader change of Vault, where configuration of rotation was +changed since the initial configuration of the tokenization transform can +result in the loss of intermediate key versions. Tokenized values from +these versions would not be decodeable. It is recommended that customers +who have enabled automatic rotation disable it, and other customers avoid +key rotation until the upcoming fix. + +#### Affected Versions + +This issue affects Vault Enterprise with ADP versions 1.10.x and higher. A +fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.