FIPS 140-2 Level 1 compliance
875 views
Skip to first unread message
PJ
Sep 27, 2016, 11:27:46 PM9/27/16
to Vault
Is Vault FIPS 140-2 Level 1 certified? Expecting anything above level 1 would be be unfair given the fact that Vault is a software based cryptographic storage/module.
----
For people interested in FIPS, this wiki is useful: https://en.wikipedia.org/wiki/FIPS_140-2
Jeff Mitchell
Sep 28, 2016, 9:56:12 AM9/28/16
to vault...@googlegroups.com
Hi PJ,
Vault itself is not FIPS 140-2 certified. However, we've been looking
into whether Vault in conjunction with a FIPS 140-2 HSM protecting
Vault's master key is sufficient to use Vault for work where FIPS is
required.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/8b7b9021-ec05-4f9c-b468-e9c9b8c76d22%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Vault itself is not FIPS 140-2 certified. However, we've been looking
into whether Vault in conjunction with a FIPS 140-2 HSM protecting
Vault's master key is sufficient to use Vault for work where FIPS is
required.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/8b7b9021-ec05-4f9c-b468-e9c9b8c76d22%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
ori troyna
Dec 22, 2016, 2:02:40 PM12/22/16
to Vault
hello Jeff,
is there a progress with Vault torwards fips 140-2?
thanks,
Ori
Jeff Mitchell
Dec 28, 2016, 11:56:51 AM12/28/16
to vault...@googlegroups.com
Hi Ori,
We are actively discussing with experts how Vault can be a part of a
FIPS 140-2 compliant solution; we believe that by using Vault with a
140-2 compliant HSM encrypting its master key (e.g. its root of trust)
that Vault can then be part of the compliant set of systems.
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/d1f89738-a56a-4994-b891-556e6efbfb4e%40googlegroups.com.
We are actively discussing with experts how Vault can be a part of a
FIPS 140-2 compliant solution; we believe that by using Vault with a
140-2 compliant HSM encrypting its master key (e.g. its root of trust)
that Vault can then be part of the compliant set of systems.
Best,
Jeff
sbel...@evident.io
Jul 3, 2017, 6:59:19 AM7/3/17
to Vault
Has there been any update on this issue?
Carlos OKieffe
Sep 5, 2017, 1:41:33 PM9/5/17
to Vault
Hi,
I am trying to see if Vault will be usable in a government project that requires FIPS compliance on AWS.
I read this, https://www.vaultproject.io/intro/vs/hsm.html, that mentioned "Vault doesn't replace an HSM. Instead, they can be complementary; a compliant HSM can protect Vault's master key to help Vault comply with regulatory requirements"
how do you 'protect the master key' in this case?
Jeff Mitchell
Sep 5, 2017, 2:53:18 PM9/5/17
to Vault
Hi Carlos,
The HSM can be used to encrypt the master key. If using Vault Enterprise, Vault can directly talk to the HSM to feed it the encrypted key, get the decrypted value back, and use it to unlock the encryption keyring.
Best,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ac173fdf-6f01-4df0-9436-21d7f8f40075%40googlegroups.com.
Carlos OKieffe
Sep 7, 2017, 10:15:10 AM9/7/17
to Vault
Thanks for the response, Jeff.
Regarding, 'The HSM can be used to encrypt the master key', I am not sure how to do this.
1) Is the master key exposed via the API?
I know If I call
curl -X PUT -d "{\"secret_shares\":1, \"secret_threshold\":1}" http://${server IP}:8200/v1/sys/init
then, in the response, the singular unseal key is the master key (I read the hashicorp/vault/vault/init.go source code)
Or
(2) is there a configuration for vault that says 'store my master key this way ...' ?
Thanks in advance
Jeff Mitchell
Sep 7, 2017, 10:28:10 AM9/7/17
to Vault
Hi Carlos,
It's item #2, but only available with Vault Enterprise Premium.
Best,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/e8bbc56a-022f-4c40-a3dc-3967e012a39e%40googlegroups.com.
Carlos OKieffe
Sep 7, 2017, 10:33:44 AM9/7/17
to Vault
Ah,
So, only Vault Enterprise Premium can be made FIPS compliant?
Patrick Townsend
Sep 21, 2017, 1:17:04 PM9/21/17
to Vault
Hi PJ,
Disclaimer: my company has a key management solution that is FIPS 140-2 compliant, and I've managed NIST validation and FIPS 140-2 projects.
It is difficult to see how Vault could be considered FIPS 140-2 compliant even when the Vault master key is protected by an HSM which is itself FIPS 140-2 compliant. There are a large number of requirements for FIPS 140-2 compliance. Here are just a couple of those:
First, the Vault master key would need to be generated using a NIST compliant process. For symmetric key generation this would typically involve the use of a NIST approved deterministic random number generation routine as described in NIST Special Publication 800-90A Revision 1, which you can find here:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
Since Vault is written in the Go language it is probably using the Go language <rand> function or similar. The Go language reference describes the use of a pseudo random number routine that is not NIST compliant. You can find the Go language specification here:
Secondly, and related to the first point, NIST compliant random number generators use either a secure hash algorithm or an encryption algorithm. Whichever method is used the hash or encryption method must also be NIST compliant. I can find no evidence that the Go language hash and crypto functions have been NIST validated. The list of compliant hash libraries are here:
The AES encryption validation list is here:
Please let me know if there are any errors in the above analysis.
It would be great to see Vault achieve FIPS 140-2 compliance. There is a clear path to validating this compliance that is open to anyone. See the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Organizations which achieve NVLAP status can take you through the process.
Patrick
Jeff Mitchell
Sep 21, 2017, 2:58:16 PM9/21/17
to Vault
Hi Patrick,
Thank you for your input.
We do not, and have not, claimed that the crypto stacks in use by
Vault are NIST certified. However, we have a breadth of customers and
the specifics of FIPS 140-2 that they are required to adhere to varies
widely depending on industry, compliance standards, and so on. The
auditing and certification being performed on Vault will not suffice
to meet the FIPS requirements of all potential Vault customers, but
via countless customer discussions we know that it will be sufficient
for many.
The auditing is being performed now and we will have more details to
share when it is completed.
Best,
Jeff
Thank you for your input.
We do not, and have not, claimed that the crypto stacks in use by
Vault are NIST certified. However, we have a breadth of customers and
the specifics of FIPS 140-2 that they are required to adhere to varies
widely depending on industry, compliance standards, and so on. The
auditing and certification being performed on Vault will not suffice
to meet the FIPS requirements of all potential Vault customers, but
via countless customer discussions we know that it will be sufficient
for many.
The auditing is being performed now and we will have more details to
share when it is completed.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/1505d895-c874-43c7-9c9a-5f44597f48d8%40googlegroups.com.
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
Patrick Townsend
Sep 21, 2017, 3:44:09 PM9/21/17
to Vault
Hi Jeff,
Thanks for the clarification. Can you describe which parts of Vault are FIPS 140-2 compliant, and which are not? Also, will you post the results of the audit and certification?
Patrick
Jeff Mitchell
Sep 21, 2017, 4:01:47 PM9/21/17
to Vault
Hi Patrick,
> Thanks for the clarification. Can you describe which parts of Vault are FIPS
> 140-2 compliant, and which are not?
That is what our auditors (Leidos) are determining.
> Also, will you post the results of the
> audit and certification?
They will certainly be available for our customers to examine. I
honestly am not sure of the terms of the audit, simply because I was
not a part of those discussions. For example, Vault's codebase
undergoes regular audits by NCC Group, but the terms of the audit only
allow the actual documented results to be disclosed to third parties
under NDA. (My understanding is that the methods used during the audit
-- what is looked for, how it is tested, etc. -- are considered trade
secrets.)
Best,
Jeff
> Thanks for the clarification. Can you describe which parts of Vault are FIPS
> 140-2 compliant, and which are not?
> Also, will you post the results of the
> audit and certification?
honestly am not sure of the terms of the audit, simply because I was
not a part of those discussions. For example, Vault's codebase
undergoes regular audits by NCC Group, but the terms of the audit only
allow the actual documented results to be disclosed to third parties
under NDA. (My understanding is that the methods used during the audit
-- what is looked for, how it is tested, etc. -- are considered trade
secrets.)
Best,
Jeff
Patrick Townsend
Sep 21, 2017, 4:32:22 PM9/21/17
to Vault
Hi Jeff,
I understand that code audits, pen testing, and other security reviews are often not made public. We've been through that ourselves. However, all NIST certifications are publicly available on the NIST website. All professional key management solutions go through NIST validation and the results are posted for public review. This helps prospective customers in both the public and private sectors evaluate solutions and have confidence in them. Having discussed security testing with Leidos in the past I am reasonably sure that they would be willing to prepare a summary of results for public consumption. I am sure that you would agree that transparency in this respect is good for all of us in the industry.
Here's hoping that Vault can eventually go through the full FIPS 140-2 validation process and achieve provable compliance with FIPS 140-2. It is a spine-straightening experience and well worth it. Actually validating to the FIPS 140-2 standard is the only legitimate way to rightfully claim that level of compliance. You would be justifiably proud of achieving that certification for Vault.
Best regards,
Patrick
Jeff Mitchell
Sep 21, 2017, 6:00:56 PM9/21/17
to Vault
Hi Patrick,
We will make no compliance contradictory what our auditors certify.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/6c86e609-0afe-4198-bd64-4dbb8a403859%40googlegroups.com.
Jeff Mitchell
Sep 21, 2017, 6:01:52 PM9/21/17
to Vault
Apologies for my phone swallowing words. Let me try again:
We will make no compliance claims contradictory to what our auditors certify.
Thanks,
Jeff
Reply all
Reply to author
Forward
0 new messages