Add the Tokenization/Rotation persistence issue as a Known Issue (#19542

) * typo
hashicorp · Mar 15, 2023 · eb14753 · eb14753
1 parent 168ad5a
commit eb14753
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/website/content/docs/upgrading/upgrade-to-1.10.x.mdx b/website/content/docs/upgrading/upgrade-to-1.10.x.mdx
@@ -91,7 +91,9 @@ to understand how the built-in resources are used in the system.
 
 @include 'raft-panic-old-tls-key.mdx'
 
-## Errors returned by perf standbys lagging behind active node with Consul storage
+@include 'tokenization-rotation-persistence.mdx'
+
+### Errors returned by perf standbys lagging behind active node with Consul storage
 
 The introduction of [Server Side Consistent Tokens](/docs/faq/ssct) means that
 when issuing a request to a perf standby right after having obtained a token (e.g.

diff --git a/website/content/partials/tokenization-rotation-persistence.mdx b/website/content/partials/tokenization-rotation-persistence.mdx
@@ -0,0 +1,14 @@
+### Rotation configuration persistence issue could lose Transform Tokenization key versions
+
+A rotation performed manually or via automatic time based rotation after
+restarting or leader change of Vault, where configuration of rotation was
+changed since the initial configuration of the tokenization transform can
+result in the loss of intermediate key versions.  Tokenized values from
+these versions would not be decodeable.  It is recommended that customers
+who have enabled automatic rotation disable it, and other customers avoid
+key rotation until the upcoming fix.
+
+#### Affected Versions
+
+This issue affects Vault Enterprise with ADP versions 1.10.x and higher.  A
+fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.