Introduction
Overview
HashiCorp publishes multiple Vault binaries and images (intended for use in containers), as a result it may not be immediately clear as to which option should be chosen for your use case. This guide will document the variance between each type and aim to help make the choice easier.
See the bottom of this page for a list of URL's for sourcing binaries & images.
Binaries:
| Image | Cloud Auto Unseal | HSM Auto Unseal | Linux Only | amd64 Only |
| +ent | yes | no | no | no |
| +ent.hsm | yes | yes | yes | yes |
| +ent.fips1402 | yes | no | yes | yes |
| +ent+hsm.fips1402 | yes | yes | yes | yes |
Images:
| Image | Cloud Auto Unseal | HSM Auto Unseal | Base Image |
amd64 Only | Available via Docker Hub |
Available via RedHat registry |
| +ent | yes | no | UBI | yes | no | yes |
| +ent | yes | no | Alpine | no | yes | no |
| +ent.hsm | yes | yes | - | yes | no | no |
| +ent.fips1402 * | yes | no | UBI | yes | yes | yes |
| +ent+hsm.fips1402 * | yes | yes | - | yes | no | no |
Note: FIPS HSM build types are included in the table above for completeness; however there are currently no images created that include the FIPS HSM builds of Vault.
Repositories:
| Image | Cloud Auto Unseal | HSM Auto Unseal | amd64 Only | Available via apt repository | Available via dnf/yum repository |
| +ent | yes | no | yes * | yes | yes |
| +ent.hsm | yes | yes | yes | yes | yes |
| +ent.fips1402 | yes | no | yes | yes | yes |
| +ent+hsm.fips1402 | yes | yes | yes | yes | yes |
Note 1: The apt repository also includes arm64 vault-enterprise releases from version 1.7.7 onwards.
Note 2: As of Vault Enterprise versions 1.12.9, 1.13.5, 1.14.1 the FIPS 140-2 and HSM+FIPS 140-2 builds are published to apt and dnf/yum repositories.
FAQ:
-
Is there a HashiCorp published Vault Enterprise image which can be used for auto unseal with a HSM?
- No - the base image used in the Vault images is Alpine, which uses musl as the C library. The libraries used to provide HSM support require glibc, which Alpine does not offer. Additionally, each HSM vendor's implementation has unique requirements which are unable to be satisfied in one image or implemented and maintained by HashiCorp.
- We recommend liaising directly with the following HSM vendors as they have historically offered supported Docker & Kubernetes images containing Vault Enterprise for their respective HSM's:
- Entrust nShield
- Thales LunaHSM
- Do the HashiCorp published Vault Enterprise images support unsealing via a cloud auto unseal method such as AWS KMS or Azure Key Vault?
- Yes.
- Is the systemd service file that is included in the rpm/apt repository packaging available for viewing?
- Is there any plan to add any architecture types other than amd64/x86_64 to the apt & dnf/yum repositories?
- Not at this time.
Additional Information:
- HashiCorp Official Release Channels Guide: https://www.hashicorp.com/official-release-channels
- The HashiCorp Vault release site: https://releases.hashicorp.com/vault
- HashiCorp dnf/yum & apt repository: https://www.hashicorp.com/official-packaging-guide
- Docker Hub Images: https://hub.docker.com/r/hashicorp/vault-enterprise
- RedHat UBI Images: https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise/5fda5633ac3db90370a26443
- RedHat UBI Images (FIPS): https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise-fips/628d50e37ff70c66a88517ea