Introduction
Overview
HashiCorp publishes multiple Vault binaries and images (intended for use in containers), as a result it may not be immediately clear as to which option should be chosen for your use case. This guide will document the variance between each type and aim to help make the choice easier.
Binaries:
Image | Cloud Auto Unseal | HSM Auto Unseal | Linux Only | amd64 Only |
+ent | yes | no | no | no |
+ent.hsm | yes | yes | yes | yes |
+ent.fips1402 | yes | no | yes | yes |
+ent+hsm.fips1402 | yes | yes | yes | yes |
Images:
Image | Cloud Auto Unseal | HSM Auto Unseal | Base Image |
amd64 Only | Available via Docker Hub |
Available via RedHat registry |
+ent | yes | no | UBI | yes | no | yes |
+ent | yes | no | Alpine | no | yes | no |
+ent.hsm | yes | yes | - | yes | no | no |
+ent.fips1402 * | yes | no | - | yes | no | no |
+ent+hsm.fips1402 * | yes | yes | - | yes | no | no |
Note: FIPS build types are included in the table above for completeness; however there are currently no images created that include the FIPS builds of Vault.
Repositories:
Image | Cloud Auto Unseal | HSM Auto Unseal | amd64 Only | Available via apt repository | Available via dnf/yum repository |
+ent | yes | no | yes * | yes | yes |
+ent.hsm | yes | yes | yes | yes | yes |
+ent.fips1402 | yes | no | yes | no | no |
+ent+hsm.fips1402 | yes | yes | yes | no | no |
Note: The apt repository also includes arm64 vault-enterprise releases from version 1.7.7 onwards.
FAQ:
-
Is there a HashiCorp published Vault Enterprise image which can be used for auto unseal with a HSM?
- No - the base image used in the Vault images is Alpine, which uses musl as the C library. The libraries used to provide HSM support require glibc, which Alpine does not offer.
- Do the HashiCorp published Vault Enterprise images support unsealing via a cloud auto unseal method such as AWS KMS or Azure Key Vault?
- Yes.
- Is the systemd service file that is included in the rpm/apt repository packaging available for viewing?
- Is there any plan to add any architecture types other than amd64/x86_64 to the apt & dnf/yum repositories?
- Not at this time.
Additional Information:
- HashiCorp Official Release Channels Guide: https://www.hashicorp.com/official-release-channels
- The HashiCorp Vault release site: https://releases.hashicorp.com/vault
- HashiCorp dnf/yum & apt repository: https://www.hashicorp.com/official-packaging-guide
- Docker Hub Images: https://hub.docker.com/r/hashicorp/vault-enterprise
- RedHat UBI Images: https://catalog.redhat.com/software/containers/hashicorp/vault-enterprise/5fda5633ac3db90370a26443