Add the Tokenization/Rotation persistence issue as a Known Issue (#19542)

* Note the known issue with rotation interaction with tokenization key policy persistence * typo
2023-03-15 09:42:02 -05:00 · 2023-03-15 09:42:02 -05:00 · de31641aea
parent fdd38deb49
commit de31641aea
5 changed files with 23 additions and 0 deletions
--- a/website/content/docs/upgrading/upgrade-to-1.10.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.10.x.mdx
@ -91,6 +91,8 @@ to understand how the built-in resources are used in the system.

@include 'raft-panic-old-tls-key.mdx'

+@include 'tokenization-rotation-persistence.mdx'
+
 ### Errors returned by perf standbys lagging behind active node with Consul storage

 The introduction of [Server Side Consistent Tokens](/vault/docs/faq/ssct) means that
--- a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx
@ -26,3 +26,5 @@ API path by setting the [bool config option](/vault/api-docs/secret/databases/el
 ## Known Issues

@include 'raft-retry-join-failure.mdx'
+
+@include 'tokenization-rotation-persistence.mdx'
--- a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx
@ -180,3 +180,5 @@ As a workaround, OCSP POST requests can be used which are unaffected.
 #### Impacted Versions

 Affects version 1.12.3. A fix will be released in 1.12.4.
+
+@include 'tokenization-rotation-persistence.mdx'
--- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@ -29,3 +29,6 @@ The AliCloud auth plugin will now require the `role` parameter on login. This
 has always been documented as a required field but the requirement will now be
 enforced.

+## Known Issues
+
+@include 'tokenization-rotation-persistence.mdx'
--- a/website/content/partials/tokenization-rotation-persistence.mdx
+++ b/website/content/partials/tokenization-rotation-persistence.mdx
@ -0,0 +1,14 @@
+### Rotation configuration persistence issue could lose Transform Tokenization key versions
+
+A rotation performed manually or via automatic time based rotation after
+restarting or leader change of Vault, where configuration of rotation was
+changed since the initial configuration of the tokenization transform can
+result in the loss of intermediate key versions.  Tokenized values from
+these versions would not be decodeable.  It is recommended that customers
+who have enabled automatic rotation disable it, and other customers avoid
+key rotation until the upcoming fix.
+
+#### Affected Versions
+
+This issue affects Vault Enterprise with ADP versions 1.10.x and higher.  A
+fix will be released in Vault 1.11.9, 1.12.5, and 1.13.1.