HashiCorp Vault Completes FIPS 140-2 Evaluation

SAN FRANCISCO, CA--(Marketwired - Nov 14, 2017) - HashiCorp, a leader in cloud infrastructure automation, today announced that Vault Enterprise 0.9, HashiCorp's secrets and privileged access management security product, has been evaluated as conformant with the Federal Information Processing Standard (FIPS) 140-2 standards. The certification ensuring Vault Enterprise's conformance has been issued by Leidos, a major security audit and innovation lab. For more details on the certification, see the Vault Compliance Letter at  https://www.hashicorp.com/vault-compliance.

Leidos' evaluation focuses on the new Seal Wrapping feature in Vault 0.9. Seal Wrapping allows a Vault Enterprise system to encode cryptographic fundamentals and credentials with encryption derived from external FIPS 140-2 certified cryptographic modules. By targeting specific storage values within Vault that contain CSPs (Critical Security Parameters), Vault's Seal Wrapping feature achieves FIPS 140-2 conformance with minimal performance impact.

Leidos' audit has affirmed that Seal Wrapping allows Vault Enterprise to be compliant with FIPS 140-2 standards for Key Transport (FIPS 140-2 IG 7.16) and Key Storage (FIPS 140-2 IG D.9) at a Security Level equal to the cryptography of the external module. For example, if Vault Enterprise is configured to use Seal Wrapping with a hardware cryptographic module operating at a Security Policy of FIPS 140-2 Level 3, Vault Enterprise will operate at a Level 3 FIPS 140-2 Security Level.

Vault is broadly used among the Global 2000 to address the challenge of infrastructure and application security in distributed environments. The Vault open source product addresses core security use cases for secrets management, encryption as a service, and privileged access management. Vault Enterprise enables teams and organizations to extend Vault with collaboration and operations features, provide governance capabilities, and scale Vault across multiple data centers.

The FIPS compliance letter is available today, and is applicable for Vault Enterprise 0.9 and on. Users can download the open source version of Vault at https://www.vaultproject.io. Vault Enterprise is available in two versions: Vault Enterprise Pro focuses on collaboration and operational features, like a UI for managing secrets, health monitoring, and initialization and secure bootstrapping workflows, while Enterprise Premium focuses on multi-datacenter functionality and governance, with features such as Hardware Security Module (HSM) integration, replication, and Sentinel integration. For more information about HashiCorp Vault Enterprise, visit https://www.hashicorp.com/products/vault/.

About HashiCorp

HashiCorp is a cloud infrastructure automation company that enables organizations to adopt consistent workflows to provision, secure, connect, and run any infrastructure for any application. HashiCorp open source tools Vagrant, Packer, Terraform, Vault, Consul, and Nomad are downloaded thousands of times per day and are broadly adopted by the Global 2000. Enterprise versions of these products enhance the open source tools with features that promote collaboration, operations, governance, and multi-data center functionality. The company is headquartered in San Francisco and backed by Mayfield, GGV Capital, Redpoint, and True Ventures. For more information, visit https://www.hashicorp.com or follow HashiCorp on Twitter @HashiCorp.