FIPS
Appropriate Vault Enterprise license required
The Federal Information Processing Standard is a cryptography-focused certification standard for U.S. Government usage.
Hashicorp's Vault Enterprise supports the modes of FIPS compliance documented below.
FIPS 140-2 inside
Vault Enterprise now includes release flavors with FIPS 140-2 compliant cryptography built into the Vault binary. More information on these releases can be found on the FIPS 140-2 Inside page.
Seal wrap
Before our FIPS Inside effort, Vault depended on an external HSM for FIPS 140-2 compliance. This uses the Seal Wrap functionality to wrap security relevant keys in an extra layer of encryption.
Comparison of versions
The below table attempts to documents the FIPS compliance of various Vault operations between FIPS Inside and FIPS Seal Wrap. This table is by no means an official evaluation of either product; refer to the Leidos Letters of Attestation for that information.
| Feature | FIPS Inside | FIPS Seal Wrap |
|---|---|---|
| Entropy Augmentation | Not Supported | Yes |
| TLS Listener | Yes | No |
| Vault HA/DR/Raft TLS | Yes | No |
| Barrier Storage | Yes | No |
| Seal Wrapping of CSPs | With FIPS-Compliant HSM | With FIPS-Compliant HSM |
| SSH CA Operations | Yes with FIPS algorithms | No |
| Transit Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
| PKI Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
| KMIP (Key Creation & Use) | Yes with FIPS algorithms | No |
| Transform Tokenization | Yes | No |
| Vault Agent TLS & Internal Crypto | Yes | No |
| Vault to External Plugin TLS | Yes from Vault's side | No |
| Plugin to third-party service TLS | Yes from Vault's side | No |
| Auth Plugins' Internal Crypto | Yes with FIPS algorithms | No |