luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/enterprise/fips/sealwrap.mdx

64 lines
2.7 KiB
Plaintext
Raw Normal View History

Start documentation for FIPS variants of Vault Enterprise (#15475) * Begin restructuring FIPS documentation This creates a new FIPS category under Enterprise and copies the FIPS-specific seal wrap documentation into it. We leave the existing Seal Wrap page at the old path, but document that the FIPS-specific portions of it have moved. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add initial FIPS 140-2 inside documentation This documents the new FIPS 140-2 Inside binary and how to use and validate it. This also documents which algorithms are certified for use in the BoringCrypto distribution. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add notes about FIPS algorithm restrictions Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 20:28:20 +00:00
---
layout: docs
page_title: Vault Enterprise FIPS Seal Wrap
description: |-
Vault Enterprise features a mechanism to wrap values with an extra layer of
encryption for supporting seals. This can be used for FIPS Compliance with
a certified HSM.
---
# Seal Wrap for FIPS Compliance
-> **Note**: This feature requires [Vault Enterprise Plus](https://www.hashicorp.com/products/vault/).
Vault Enterprise features a mechanism to wrap values with an extra layer of
encryption for supporting [seals](/docs/configuration/seal). This adds an
extra layer of protection and is useful in some compliance and regulatory
environments, including FIPS 140-2 environments.
To use this feature, you must have an active or trial license for Vault
Enterprise Plus (HSMs). To start a trial, contact [HashiCorp
sales](mailto:sales@hashicorp.com).
## Using Seal Wrap
See [the Enterprise documentation](/docs/enterprise/sealwrap) for instructions
on how to use and enable Seal Wrap.
## FIPS 140-2 Compliance
Vault's Seal Wrap feature has been evaluated by Leidos for compliance with
FIPS 140-2 requirements. When used with a FIPS 140-2-compliant HSM, Vault will
store Critical Security Parameters (CSPs) in a manner that is compliant with
KeyStorage and KeyTransit requirements. This is on by default for many parts of
Vault and opt-in for each individual mount; see the Activating Seal Wrapping
section below for details.
[Download the current compliance letter](/docs/enterprise/sealwrap/Vault_Compliance_Letter_signed.pdf)
### Updates Since The Latest FIPS Compliance Audit
The following are values that take advantage of seal wrapping in the current
release of Vault that have not yet been asserted as compliant by Leidos. The
mechanism for seal wrapping is the same, they simply were not specifically
evaluated by the auditors.
- Root tokens
- Replication secondary activation tokens
- Client authentication information for the GCP Auth Backend
- Client authentication information for the Kubernetes Auth Backend
## Seal Wrap and Replication
Because of the level of flexibility targeted for replication, values sent over
replication connections do not currently meet KeyTransit requirements for FIPS
140-2. Vault's clustering implementation does support best practices guidance
given in FIPS 140-2, but the cryptographic implementation of TLS is not FIPS
140-2 certified. We may look into providing certified TLS in the future for
replication traffic; in the meantime, a transparent TCP proxy that supports
certified FIPS 140-2 TLS (such as
[stunnel](https://www.stunnel.org/index.html)) can be used for replication
traffic if meeting KeyTransit requirements for replication is necessary.
[configuration]: /docs/configuration
Reference in a new issue Copy permalink