HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

Seal wrap for FIPS compliance

Enterprise

Appropriate Vault Enterprise  license required

Vault Enterprise features a mechanism to wrap values with an extra layer of encryption for supporting seals. This adds an extra layer of protection and is useful in some compliance and regulatory environments, including FIPS 140-2 environments.

To use this feature, you must have an active or trial license for Vault Enterprise Plus (HSMs). To start a trial, contact HashiCorp sales.

Using seal wrap

See the Enterprise documentation for instructions on how to use and enable Seal Wrap.

FIPS 140-2 compliance

Vault's Seal Wrap feature has been evaluated by Leidos for compliance with FIPS 140-2 requirements. When used with a FIPS 140-2-compliant HSM, Vault will store Critical Security Parameters (CSPs) in a manner that is compliant with KeyStorage and KeyTransit requirements. This is on by default for many parts of Vault and opt-in for each individual mount; see the Activating Seal Wrapping section below for details.

View and download current Vault compliance letters

Updates since the latest FIPS compliance audit

The following are values that take advantage of seal wrapping in the current release of Vault that have not yet been asserted as compliant by Leidos. The mechanism for seal wrapping is the same, they simply were not specifically evaluated by the auditors.

  • Root tokens
  • Replication secondary activation tokens
  • Client authentication information for the GCP Auth Backend
  • Client authentication information for the Kubernetes Auth Backend

Seal wrap and replication

Because of the level of flexibility targeted for replication, values sent over replication connections do not currently meet KeyTransit requirements for FIPS 140-2. Vault's clustering implementation does support best practices guidance given in FIPS 140-2, but the cryptographic implementation of TLS is not FIPS 140-2 certified. We may look into providing certified TLS in the future for replication traffic; in the meantime, a transparent TCP proxy that supports certified FIPS 140-2 TLS (such as stunnel) can be used for replication traffic if meeting KeyTransit requirements for replication is necessary.

Edit this page on GitHub