Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Add docs on FIPS Inside vs Seal Wrap into release/1.13.x #19397

Merged
merged 1 commit into from
Feb 28, 2023
Merged

Backport of Add docs on FIPS Inside vs Seal Wrap into release/1.13.x #19397

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 24 additions & 0 deletions website/content/docs/enterprise/fips/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,27 @@ can be found on the [FIPS 140-2 Inside](/vault/docs/enterprise/fips/fips1402) pa
Before our FIPS Inside effort, Vault [depended on](https://www.hashicorp.com/vault-compliance)
an external HSM for FIPS 140-2 compliance. This uses the [Seal Wrap](/vault/docs/enterprise/fips/sealwrap)
functionality to wrap security relevant keys in an extra layer of encryption.

## Comparison of Versions

The below table attempts to documents the FIPS compliance of various Vault
operations between FIPS Inside and FIPS Seal Wrap. This table is by no means
an official evaluation of either product; refer to the Leidos Letters of
Attestation for that information.

| Feature | FIPS Inside | FIPS Seal Wrap |
| :-------------------------------- | :----------------------- | :--------------------------------------- |
| Entropy Augmentation | Not Supported | Yes |
| TLS Listener | Yes | No |
| Vault HA/DR/Raft TLS | Yes | No |
| Barrier Storage | Yes | No |
| Seal Wrapping of CSPs | With FIPS-Compliant HSM | With FIPS-Compliant HSM |
| SSH CA Operations | Yes with FIPS algorithms | No |
| Transit Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
| PKI Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM |
| KMIP (Key Creation & Use) | Yes with FIPS algorithms | No |
| Transform Tokenization | Yes | No |
| Vault Agent TLS & Internal Crypto | Yes | No |
| Vault to External Plugin TLS | Yes from Vault's side | No |
| Plugin to third-party service TLS | Yes from Vault's side | No |
| Auth Plugins' Internal Crypto | Yes with FIPS algorithms | No |