This living document describes a security overview HCP Vault. It reflects the current state of HCP Vault.
Refer to the HashiCorp Cloud Platform (HCP) Architecture documentation to understand the platform architecture.
HCP Vault runs as a cluster. The cluster is deployed in a unique, isolated AWS account.
»Cluster auto unseal
Each node within the cluster automatically unseals through the Auto Unseal process with an account specific key. This key is created through the Key Management Service (KMS) and trusted by each EC2 instance in the cluster.
NOTE: Externally provided KMS keys are not supported.
»Auto unseal recovery keys
Recovery keys are returned to the control plane, transit encrypted, and stored in the primary data store with the cluster information. These keys provide a mechanism to recover access to the cluster if all other methods fail.
Vault's data is encrypted and stored in an account specific Amazon Elastic Block Store (EBS).
Cluster initialization generates a root token, used to enable initial authentication methods, define policies, and establish trust with the control plane. The root token is revoked after setup is complete.
NOTE: The Vault cluster administrator is provided an admin token when the cluster is ready.
Supported authentication methods:
Audit logs are stored in an encrypted Amazon S3 bucket in the same region as the cluster. This data may be uploaded to a security information and event management (SIEM) platform.
Snapshots are stored in HashiCorp managed, encrypted Amazon S3 buckets in the US East (N. Virginia) region.
Clusters adhere to our production hardening guidelines.
End-to-end TLS - Instances use LetsEncrypt certificates that are automatically rotated.
Single tenant, Vault dedicated clusters - Instances run only the Vault process and management subsystem. Vault instances are not shared between organizations.
Firewall restrictions only allow inbound TCP/8200 on the public and private IP address. Public IP usage is discouraged in production.
Disable SSH / Remote Desktop - SSH and Remote Desktop software is disabled on instances..
Disable swap - Swap space is permanently disabled on instances.
Don’t run as root - Vault processes run as a dedicated, non-root user account.
Turn off core dumps - Core dumps are disabled on instances.
Immutable upgrades - Immutable instances are used to upgrade Vault clusters; software packages are never upgraded in-place.
Avoid root tokens - The root token is used to initially configure the cluster and then revoked. It is never shared outside the cluster.
Enable auditing - Enabled by default on all production clusters. Audit logging is not available on Dev clusters.
Upgrade frequently - Monthly updates are performed for system packages. Vault is automatically updated for minor versions; major versions are not automatic.
Configure SELinux / AppArmor - These are not in use.
Restrict storage access - All Vault data is encrypted and stored under the customer’s dedicated account. HashiCorp’s access to this account is restricted to support staff on a need-to-access basis. Customer secrets are not accessible to HashiCorp staff.
Disable shell command history - Not applicable as Vault commands are not issued.
Tweak ulimits - ulimits have been optimized for Vault usage.
Docker containers - Not applicable as Docker is not used.
No clear text credentials - All credentials are encrypted.
»GDPR Data Processing Agreement
HashiCorp supports General Data Protection Reguration (GDPR) Data Processing Agreement (DPA) today for HCP Vault.
»HIPAA Business Associate Agreement
HIPAA Business Associate Contracts (BAAs) are not supported.