Using Fortanix Data Security Manager with Hashicorp Vault

Fortanix-Hashicorp joint solution maximizes the security of encryption keys used to protect enterprise credentials and passwords.

Download Solution Brief

hero image

Challenge

Digital business transformation is built on a foundation of digital trust. Best practices for digital trust rely on cryptography to protect sensitive data. Today, data goes unprotected because cryptography is often underutilized, misconfigured, and siloed between different environments and groups within an organization. To build digital trust, accelerate digital transformation, and minimize the risk of data breaches, it is critical that businesses use a pervasive encryption approach that standardizes and centralizes cryptographic operations so that encryption becomes universal across all applications, infrastructure, and digital information.

Fortanix Data Security Manager provides virtually impenetrable security to your data, keys and secrets. Secured with Intel® SGX and built using Fortanix’s patented Runtime Encryption® Technology, Fortanix Data Security Manager runs every operation in HSM, ensuring complete control over your keys, data and secrets. Comprehensive audit logs provide insight into how secrets are being used, helping you meet compliance.

Overview

HashiCorp Vault centrally secures, stores, and tightly controls access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. Organizations use HashiCorp Vault to solve security challenges as they adopt cloud and DevOps.
Fortanix Data Security Manager delivers unified HSM and Key Management capabilities to securely generate, store, and use cryptographic keys and certificates. The combined solution of Fortanix DSM and Hashicorp Vault Enterprise, delivers enhanced security and availability for encryption keys used to access secrets to ensure confidentiality, integrity, and availability of critical enterprise data.
Fortanix Data Security Manager leverages Runtime Encryption™ and Intel® SGX in a FIPS 140-2 Level 3 HSM to deliver deterministic security for encryption keys. The joint solution maximizes the security of encryption keys used to protect enterprise credentials and passwords to help guard against threats exploiting insider privileges.

diagram

Vault Enterprise communicates with Fortanix DSM using PKCS #11 API. Fortanix’s integration with enterprise vault provides the following functionalities:

  • Master Key Wrapping: Vault protects its master key by transiting it through the Fortanix HSM powered by Intel® SGX to provide maximum security and comply with regulatory requirements.
  • Automatic Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing.
  • Seal Wrapping: This provides FIPS 140-2 Level 2 secret storage conforming functionality for Critical Security Parameters. Note, that the Fortanix KMS itself is classified by NIST as a FIPS 140-2 Level 3.
  • Entropy Augmentation: Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules through the Seals interface. While the system. entropy used by Vault is more than capable of operating in most threat models, there are some situations where additional entropy from hardware-based random number generators are desirable.

Ready to test Fortanix Runtime Encryption?

request a demo
thumbnail