From 7383b52b80d9fbb121841d854906d6063289dd3c Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 28 Feb 2023 10:47:52 -0500 Subject: [PATCH] backport of commit 52bbf65ae7232e9306c8c8d7d392399f82d24f04 (#19397) Co-authored-by: Alexander Scheel --- .../content/docs/enterprise/fips/index.mdx | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/website/content/docs/enterprise/fips/index.mdx b/website/content/docs/enterprise/fips/index.mdx index 42428a78a891..0c5a82407408 100644 --- a/website/content/docs/enterprise/fips/index.mdx +++ b/website/content/docs/enterprise/fips/index.mdx @@ -22,3 +22,27 @@ can be found on the [FIPS 140-2 Inside](/vault/docs/enterprise/fips/fips1402) pa Before our FIPS Inside effort, Vault [depended on](https://www.hashicorp.com/vault-compliance) an external HSM for FIPS 140-2 compliance. This uses the [Seal Wrap](/vault/docs/enterprise/fips/sealwrap) functionality to wrap security relevant keys in an extra layer of encryption. + +## Comparison of Versions + +The below table attempts to documents the FIPS compliance of various Vault +operations between FIPS Inside and FIPS Seal Wrap. This table is by no means +an official evaluation of either product; refer to the Leidos Letters of +Attestation for that information. + +| Feature | FIPS Inside | FIPS Seal Wrap | +| :-------------------------------- | :----------------------- | :--------------------------------------- | +| Entropy Augmentation | Not Supported | Yes | +| TLS Listener | Yes | No | +| Vault HA/DR/Raft TLS | Yes | No | +| Barrier Storage | Yes | No | +| Seal Wrapping of CSPs | With FIPS-Compliant HSM | With FIPS-Compliant HSM | +| SSH CA Operations | Yes with FIPS algorithms | No | +| Transit Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM | +| PKI Operations | Yes with FIPS algorithms | With Managed Keys and FIPS-Compliant HSM | +| KMIP (Key Creation & Use) | Yes with FIPS algorithms | No | +| Transform Tokenization | Yes | No | +| Vault Agent TLS & Internal Crypto | Yes | No | +| Vault to External Plugin TLS | Yes from Vault's side | No | +| Plugin to third-party service TLS | Yes from Vault's side | No | +| Auth Plugins' Internal Crypto | Yes with FIPS algorithms | No |