mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 23:21:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
55 lines
3.4 KiB
Plaintext
55 lines
3.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: FIPS compliance in Vault
|
|
description: >-
|
|
Learn about FIPS compliance options in Vault.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# FIPS compliance in Vault
|
|
|
|
@include 'alerts/enterprise-only.mdx'
|
|
|
|
The [Federal Information Processing Standard](https://www.nist.gov/federal-information-standards-fips)
|
|
is a cryptography-focused certification standard for U.S. Government usage.
|
|
|
|
Hashicorp's Vault Enterprise supports the modes of FIPS compliance documented below.
|
|
|
|
## FIPS 140-3 inside
|
|
|
|
Vault Enterprise now includes release flavors with FIPS 140-3 compliant
|
|
cryptography built into the Vault binary. More information on these releases
|
|
can be found on the [FIPS 140-3 Inside](/vault/docs/enterprise/fips/fips1403) page.
|
|
|
|
## Seal wrap
|
|
|
|
Before our FIPS Inside effort, Vault [depended on](https://www.hashicorp.com/vault-compliance)
|
|
an external HSM for FIPS 140-2/3 compliance. This uses the [Seal Wrap](/vault/docs/enterprise/fips/sealwrap)
|
|
functionality to wrap security relevant keys in an extra layer of encryption.
|
|
|
|
## Comparison of versions
|
|
|
|
The below table attempts to documents the FIPS compliance of various Vault
|
|
operations between FIPS Inside and FIPS Seal Wrap. This table is by no means
|
|
an official evaluation of either product; refer to the Leidos Letters of
|
|
Attestation for that information.
|
|
|
|
| Feature | FIPS Inside | FIPS Seal Wrap |
|
|
| :-------------------------------- | :----------------------- | :--------------------------------------- |
|
|
| Entropy Augmentation | Not Supported | Yes |
|
|
| TLS Listener | Yes | No |
|
|
| Vault HA/DR/Raft TLS | Yes | No |
|
|
| Barrier Storage | Yes | No |
|
|
| Seal Wrapping of CSPs | With FIPS-Compliant HSM | With FIPS-Compliant HSM |
|
|
| SSH CA Operations | Yes with FIPS algorithms | No |
|
|
| Transit Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
|
|
| PKI Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
|
|
| KMIP (Key Creation & Use) | Yes with FIPS algorithms | No |
|
|
| Transform Tokenization | Yes | No |
|
|
| Vault Agent TLS & Internal Crypto | Yes | No |
|
|
| Vault to External Plugin TLS | Yes from Vault's side | No |
|
|
| Plugin to third-party service TLS | Yes from Vault's side | No |
|
|
| Auth Plugins' Internal Crypto | Yes with FIPS algorithms | No |
|