Skip to content

[VAULT] Sync GA to RC for 1.21.x publication #1161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 22, 2025
Merged

[VAULT] Sync GA to RC for 1.21.x publication #1161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions content/vault/v1.21.x (rc)/content/docs/deploy/why-use-tls.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
layout: docs
page_title: Why use TLS?
description: >-
Understand the benefits of securing your Vault clusters with end-to-end TLS.
---

# Why use TLS?

You can enhance the overall security posture of your Vault cluster when you
secure communications with TLS to ensure that data transmitted between Vault
nodes and clients remains confidential and tamper-proof.

@include 'ld-images/deploy/secure-vault-tls.mdx'

Use mutual TLS with your Vault cluster deployments to protect sensitive data and
prevent unauthorized access with enhanced compliance, governance, auditing
capabilities, and incident response.

## TLS benefits

- **Improved data protection**.
TLS prevents unauthorized access or communication with the Vault cluster to
ensure data availability based on your security policies. TLS also protects
sensitive data in transit to prevent interception or tampering.

- **Strong identity verification**.
Vault cluster nodes and clients verify identities from TLS certificates before
communicating to enable trusted operations and prevent impersonation.

- **Improved compliance and governance**.
Implementing mutual TLS in your Vault clusters aligns your deployments with
industry best practices and regulatory requirements like HIPAA, PCI-DSS, and
others.

- **Reduce risk of data leaks**.
When you operate Vault clusters with mutual TLS enabled, you minimize the risk
of data leaks and unauthorized access to sensitive information.

- **Improved incident response**.
Mutual TLS helps to limit the exposure or damage from unauthorized access to
sensitive data stored in Vault, which makes incident response more
straightforward.

## TLS resources

- [Default Vault TLS configuration](/vault/docs/configuration/listener/tcp#default-tls-configuration)
- [Configure TLS for your Vault TCP listener](/vault/docs/configuration/listener/tcp/tcp-tls)
- [Vault installation to minikube via Helm with TLS enabled](/vault/tutorials/kubernetes/kubernetes-minikube-tls)
- [Medium blog: Enabling TLS on your Vault cluster on Kubernetes](https://medium.com/@martin.hodges/enabling-tls-on-your-vault-cluster-on-kubernetes-0d20439b13d0)
4 changes: 2 additions & 2 deletions content/vault/v1.21.x (rc)/content/docs/sysadmin/snapshots/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Step-by-step instructions:
- [Restore a snapshot](/vault/docs/sysadmin/snapshots/restore)
- [Recover discrete secrets in a replicated environment](/vault/docs/sysadmin/snapshots/recover-a-secret/replicated-cluster) <EnterpriseAlert inline="true" />
- [Recover discrete secrets in a non-replicated environment](/vault/docs/sysadmin/snapshots/recover-a-secret/single-cluster) <EnterpriseAlert inline="true" />
- [Automate snapshots](/vault/docs/sysadmin/snapshots/recover-a-secret) <EnterpriseAlert inline="true" />
- [Automate snapshots](/vault/docs/sysadmin/snapshots/automate) <EnterpriseAlert inline="true" />
- [Recover discrete secrets](/vault/docs/sysadmin/snapshots/recover-a-secret) <EnterpriseAlert inline="true" />

</Tab>
Expand All @@ -59,4 +59,4 @@ Detailed tutorials:

</Tab>

</Tabs>
</Tabs>
2 changes: 2 additions & 0 deletions content/vault/v1.21.x (rc)/content/partials/ld-images/deploy/secure-vault-tls.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
![Secure Vault intra-cluster and inter-cluster communications with TLS](/img/diagram-secure-vault-tls-dark.png#dark-theme-only)
![Secure Vault intra-cluster and inter-cluster communications with TLS](/img/diagram-secure-vault-tls.png#light-theme-only)
2 changes: 1 addition & 1 deletion content/vault/v1.21.x (rc)/content/partials/rotationfields.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
defining the schedule on which Vault should rotate the root token. Standard
cron-style time format uses five fields to define the minute, hour, day of
month, month, and day of week respectively. For example, `0 0 * * SAT` tells
Vault to rotate the root token every Saturday at 00:00. Vault interprets the schedule in UTC.
Vault to rotate the root token every Saturday at 00:00. In 1.20.5 or later, Vault interprets the schedule in UTC.
**You must set one of `rotation_schedule` or `rotation_period`, but cannot set both**.
- `rotation_window` `(string/integer: 0)` – <EnterpriseAlert product="vault" inline />
The maximum amount of time, in seconds, allowed to complete
Expand Down
Binary file added content/vault/v1.21.x (rc)/img/diagram-secure-vault-tls-dark.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added content/vault/v1.21.x (rc)/img/diagram-secure-vault-tls.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading