Skip to content

Commit

Permalink
Add the Tokenization/Rotation persistence issue as a Known Issue (#19542
Browse files Browse the repository at this point in the history
)

* Note the known issue with rotation interaction with tokenization key policy persistence

* typo
  • Loading branch information
sgmiller authored Mar 15, 2023
1 parent c4f9648 commit 3b15352
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 0 deletions.
2 changes: 2 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.10.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ to understand how the built-in resources are used in the system.

@include 'raft-panic-old-tls-key.mdx'

@include 'tokenization-rotation-persistence.mdx'

### Errors returned by perf standbys lagging behind active node with Consul storage

The introduction of [Server Side Consistent Tokens](/vault/docs/faq/ssct) means that
Expand Down
2 changes: 2 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.11.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,5 @@ API path by setting the [bool config option](/vault/api-docs/secret/databases/el
## Known Issues

@include 'raft-retry-join-failure.mdx'

@include 'tokenization-rotation-persistence.mdx'
2 changes: 2 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.12.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -180,3 +180,5 @@ As a workaround, OCSP POST requests can be used which are unaffected.
#### Impacted Versions

Affects version 1.12.3. A fix will be released in 1.12.4.

@include 'tokenization-rotation-persistence.mdx'
3 changes: 3 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.13.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,6 @@ The AliCloud auth plugin will now require the `role` parameter on login. This
has always been documented as a required field but the requirement will now be
enforced.

## Known Issues

@include 'tokenization-rotation-persistence.mdx'
14 changes: 14 additions & 0 deletions website/content/partials/tokenization-rotation-persistence.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
### Rotation configuration persistence issue could lose Transform Tokenization key versions

A rotation performed manually or via automatic time based rotation after
restarting or leader change of Vault, where configuration of rotation was
changed since the initial configuration of the tokenization transform can
result in the loss of intermediate key versions. Tokenized values from
these versions would not be decodeable. It is recommended that customers
who have enabled automatic rotation disable it, and other customers avoid
key rotation until the upcoming fix.

#### Affected Versions

This issue affects Vault Enterprise with ADP versions 1.10.x and higher. A
fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.

0 comments on commit 3b15352

Please sign in to comment.