mirror of
https://github.com/hashicorp/vault.git
synced 2025-11-20 02:01:37 +01:00
d23892d803
* Add known issue for hsm duplicate * update wording * swap: * more clarification * clean up * clean up * clean up * reorder * reorder * link
48 lines
3.0 KiB
Plaintext
48 lines
3.0 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Upgrade to Vault 1.19.x - Guides
|
|
description: |-
|
|
Deprecations, important or breaking changes, and remediation recommendations
|
|
for anyone upgrading to 1.19.x from Vault 1.18.x.
|
|
---
|
|
|
|
# Overview
|
|
|
|
The Vault 1.19.x upgrade guide contains information on deprecations, important
|
|
or breaking changes, and remediation recommendations for anyone upgrading from
|
|
Vault 1.18. **Please read carefully**.
|
|
|
|
## Important changes
|
|
|
|
### Transit support for Ed25519ph and Ed25519ctx signatures
|
|
|
|
**NOTE**: This only applies to Transit Ed25519 keys.
|
|
|
|
On prior versions of Vault, when the sign and verify API endpoints backed by an Ed25519
|
|
key received the prehashed=true or the hash_algorithm=sha2-512 parameters they were ignored,
|
|
returning back or verifying a Pure Ed25519 signature. As of 1.19.x, setting these values
|
|
on Enterprise editions of Vault will now return an Ed25519ph signature and assume the
|
|
input has been hashed using the SHA-512 algorithm.
|
|
|
|
If neither prehashed nor hash_algorithm values are provided, the existing default of using
|
|
Pure Ed25519 signatures remains unchanged for both Enterprise and CE Vault editions. The change
|
|
is if those values had been overridden they were previously ignored but now will be enforced
|
|
based on the table below.
|
|
|
|
| Vault Edition | prehashed | hash_algorithm | 1.19.x Signature | Previous Vault Versions Signature |
|
|
|:--------------|:----------|:------------------------------|:-------------------------------------------|:----------------------------------|
|
|
| Enterprise | not set | not set | Pure Ed25519 | Pure Ed25519 |
|
|
| Enterprise | false | any value other than sha2-512 | Pure Ed25519 | Pure Ed25519 |
|
|
| Enterprise | false | sha2-512 | An error is returned | Pure Ed25519 |
|
|
| Enterprise | true | any value other than sha2-512 | An error is returned | Pure Ed25519 |
|
|
| Enterprise | true | sha2-512 | Ed25519ph | Pure Ed25519 |
|
|
| CE | not set | not set | Pure Ed25519 | Pure Ed25519 |
|
|
| CE | false | any value other than sha2-512 | Pure Ed25519 | Pure Ed25519 |
|
|
| CE | false | sha2-512 | An error is returned | Pure Ed25519 |
|
|
| CE | true | any value other than sha2-512 | An error is returned | Pure Ed25519 |
|
|
| CE | true | sha2-512 | An error is returned (not supported on CE) | Pure Ed25519 |
|
|
|
|
## Known issues and workarounds
|
|
|
|
@include 'known-issues/duplicate-hsm-key.mdx'
|