Safe v1.3.0

New Features

• SSH tunneling is now supported as a proxy. ssh+socks5:// is the scheme you'll
  want to use in your proxy environment variables to take advantage of this. For
  more information on how to use this, check out safe envvars

• SAFE_ALL_PROXY is now a supported environment variable - it will set the values
  for both HTTP_PROXY and HTTPS_PROXY.

Safe v1.2.1

Bug Fixes

• Upgraded to compiling with Go 1.12.6. This should fix some DNS timeout problems referenced by #185 (Thanks @geofffranks)

Safe v1.2.0

Bug Fixes

• Fix versions command description

New Features

• safe envvars - New command that displays available environment variables for use with safe

• Auto-mount secret on safe init and safe local - In more recent
  versions of Vault, secret is not mounted by default. Safe will ensure that
  the mount is created anyway unless the --no-mount option is given. The flag
  will not unmount an existing secret mount in versions of Vault which mount
  secret by default.

• safe auth approle - Added the ability to auth via AppRole

Safe v1.1.0

Bug Fixes

• safe target no longer cares if your current target is valid
  before overwriting it.

Breaking Changes

These are things that should have been done in 1.0.0 to maintain
backward compatibility with older versions of safe`s export calls.

• safe export will now make a v1-style export if it is able to.
  These can be imported by older versions of safe.
• safe export's --shallow and --only-alive flags are now the
  default behaviors. They can be flipped with the new --all and --deleted
  flags, respectively.

Safe v1.0.2

Bug Fixes

• safe commands no longer 403 when the auth token's policies does not have
  access to sys endpoints.
• paths and tree operations work correctly when the Vault has a secret at the
  root of a mount.

Safe v1.0.1

Bug Fixes

• safe paths without the --keys flag has output again.

Safe v1.0.0

New Features

• safe now supports the versioned KV v2 backend! (Fixes #138)
• Commands that write will append new versions to versioned backends.
• Commands that read will read the newest version (if undeleted) by default.
  Older versions can be read with the PATH^VERSION syntax
  (i.e. mysecret:mykey^2).
• Commands that delete will operate on the newest version by default. You can
  target specific versions with the PATH^VERSION syntax. By default, versions
  will be marked as deleted. They can be destroyed with the -D flag on safe delete.
  All versions of a secret can be targeted with the -a flag on safe delete.
• safe paths and safe tree now has a -q flag. Because scripts using paths have
  thus far assumed that only paths with accessible secrets will be returned, we need to
  make sure that this behavior was preserved by default. However, Vault returns deleted
  or destroyed secrets from list requests. Therefore, we have to make extra calls to make
  sure that the latest version of the secret is alive. -q (quick) skips those checks to
  get you a result faster, even though any secret with remaining metadata will be returned.
• safe versions is now a command. It shows all the existing version numbers for a
  secret with their respective states. v1 backends are abstracted as versioned backends
  that only ever have one living version.
• safe undelete is now a command. It undeletes a version that was marked as deleted.
  It errs if you try it on a v1 backend because I can't get your cert back and I'm sorry.
• safe revert reads in an older version and writes it as the newest version of a secret.
  It's a no-op if the newest version is specified. You can revert to versions marked as
  deleted with the -d flag. This will cause the version to be undeleted, read, and then
  redeleted. The resulting newest version will be left alive.

Improvements

• Operations which walk the tree recursively now operate concurrently. This can lead
  to a significant speed increase in environments where there is noticeable latency when
  communicating with the Vault server. See: tree, paths, delete -R, etc
• x509 reissue and x509 renew now show up in safe help x509
• safe curl's --data-only flag is now in the help (thanks, @lvets)
• We can safe local all the way up to Vault 1.0.1 (and possibly even beyond) (Fixes #171)
• safe tree / and safe paths / will now show all secrets across all KV mounts.

Bug Fixes

• We can read non-strings out of the Vault again (Fixes #178).
• safe rekey's key prompt is fixed and now won't just ask you for the first key n times

Breaking Changes

• Exports are now in a new format. While this version of safe can import versions of the old
  format, this version of safe will produce exports that older versions of safe will not be able
  to import.

Safe v0.9.9

Improvements

• safe local's internals have been updated to work with Vault 0.11.2+

Safe v0.9.8

New Features

• Safe honours the new $SAFE_TARGET environment variable to override the the safe target without using -T or calling safe target. This can be used for scripts that want to target a specific vault without modifying the user's current target in ~/.saferc

Safe v0.9.6

Improvements

• safe x509 renew can now recover from missing CRLs and missing
  serial numbers, in case you've imported the certificate and
  private key from somewhere else.

• safe x509 validate now complains is a certificate is listed as
  a CA but does not have its serial number or CRL.