diff --git a/website/content/docs/configuration/entropy-augmentation.mdx b/website/content/docs/configuration/entropy-augmentation.mdx index e8f2d8499..df4c980b0 100644 --- a/website/content/docs/configuration/entropy-augmentation.mdx +++ b/website/content/docs/configuration/entropy-augmentation.mdx @@ -17,7 +17,9 @@ block in Vault's configuration file. ## Requirements -A valid Vault Enterprise license is required for Entropy Augmentation +A valid Vault Enterprise license is required for Entropy Augmentation. + +~> **Warning** This feature is not available with FIPS 140-2 Inside variants of Vault. Additionally, the following software packages and enterprise modules are required for sourcing entropy via the [PKCS11 seal](/docs/configuration/seal/pkcs11): diff --git a/website/content/docs/enterprise/entropy-augmentation.mdx b/website/content/docs/enterprise/entropy-augmentation.mdx index 94d9d5022..e591dc094 100644 --- a/website/content/docs/enterprise/entropy-augmentation.mdx +++ b/website/content/docs/enterprise/entropy-augmentation.mdx @@ -10,6 +10,8 @@ description: |- -> **Note**: This feature requires [Vault Enterprise Plus](https://www.hashicorp.com/products/vault/). +~> **Warning** This feature is not available with FIPS 140-2 Inside variants of Vault. + Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules via the [seals](/docs/configuration/seal) interface. While the system entropy used by Vault is more than capable of diff --git a/website/content/docs/enterprise/fips/fips1402.mdx b/website/content/docs/enterprise/fips/fips1402.mdx index 22ae4b052..e06e7ca2c 100644 --- a/website/content/docs/enterprise/fips/fips1402.mdx +++ b/website/content/docs/enterprise/fips/fips1402.mdx @@ -40,6 +40,10 @@ A non-exhaustive list of potential compliance issues include: - Using FF3-1/FPE in Transform Secrets Engine, or - Using a Derived Key (using HKDF) for Agent auto-authing or the Transit Secrets Engine. + - Using **Entropy Augmentation**: because BoringCrypto uses its internal, + FIPS 140-2 approved RNG, it cannot mix entropy from other sources. + Attempting to use EA with FIPS 140-2 HSM enabled binaries will result + in failures such as `panic: boringcrypto: invalid code execution`. Hashicorp can only provide general guidance regarding using Vault Enterprise in a FIPS-compliant manner. We are not a NIST-certified testing laboratory @@ -55,6 +59,8 @@ from the following sources: container repository. - From the [AWS ECR `hashicorp/vault-enterprise-fips`](https://gallery.ecr.aws/hashicorp/vault-enterprise-fips) container repository. + - From the [Red Hat Access `hashicorp/vault-enterprise-fips`](https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise-fips/628d50e37ff70c66a88517ea) + container repository. ~> **Note**: When pulling the FIPS UBI-based images, note that they are ultimately designed for OpenShift certification; consider either adding @@ -62,6 +68,17 @@ from the following sources: mlock, or use the `--env SKIP_SETCAP=1` option, to disable mlock completely, as appropriate for your environment. +### Usage Restrictions + +Hashicorp **does not** support in-place migrations from non-FIPS Inside +versions of Vault to FIPS Inside versions of Vault, regardless of version. +A fresh cluster installation is required to receive support. + +Entropy Augmentation **does not** work with FIPS 140-2 Inside. The internal +BoringCrypto RNG is FIPS 140-2 certified and does not accept entropy from +other sources. Attempting to use Entropy Augmentation will result in failures +at runtime such as `panic: boringcrypto: invalid code execution`. + ## Technical Details Vault Enterprise's FIPS 140-2 Inside binaries rely on a special version of the