Our recommendation is to start with a FIPS version of Vault and design with this in mind from the very beginning wherever compliance is required. A greater degree of compliance may be attained by starting with installations that only involve Vault FIPS binaries and no other data from non-FIPS versions of Vault. In particular this guide does not cover replacement of all keys generated by the non-FIPS vault, including Barrier keys, and all storage encrypted by it, Recovery Keys, Transit Keys, KMIP keys, etc.
However in other cases where a non-FIPS version of Vault Enterprise is already in use with existing secrets that can be read and recreated anew as part of the in-place transition onto FIPS then the details outlined herein may be relevant.
Please note that it would be better to forgo the approach outlined in this article and instead restart anew with the re-provisioning of all mounts and their respective configurations, excluding any actual secrets or replication of data from other sources. This way, inadvertent omissions or other human errors that could violate compliance may be avoided.
Prerequisites
An Enterprise version of Vault is already in use with one the following scenarios as the target being transitioned to and involving one of the following version of the Vault Enterprise binaries:
- 1. Vault HSM version with an external FIPS-HSM or
- 2. Vault HSM-FIPS1402 version or
- 3. Vault FIPS1402 version
And completion of steps:
1. Vault HSM version with an external FIPS-HSM
Auto-unseal & Entropy Augmentation
If the transition is from an existing Vault Enterprise instance that does not have HSM auto-unseal enabled then this will need to be completed first ensuring that the seal "pkcs11" stanza is set and working. See the KB article: Migrating KV Secrets - should a migration be required from other unseal types. Only other FIPS-HSM devices may be used if you're considering HA Seals.
Entropy Augmentation must be enabled so as to use the external FIPS-HSM and in order to enable this, place the entropy "seal" stanza within your Vault HCL as detailed in the documentation and guides:
- Vault Docs - Configuration: Entropy augmentation seal
- Vault Tutorial: HSM integration - entropy augmentation
Once Entropy Augmentation is enabled the use of the HSM device can be verified via the HSM logs where greater cryptographic calls should be made to the HSM for operations other than unsealing.
Once Entropy Augmentation has been successfully enabled continue onto 4. Recreating Seal-Wrap on Authentication & Secrets Mounts & 5. Recreating Secrets & Secret Migration.
2. Vault HSM-FIPS1402 version
A successful transition to the Vault HSM-FIPS1402 binary version is confirmed via vault status -format=json | jq -r '.version'. Proceed next to 4. Recreating Seal-Wrap on Authentication & Secrets Mounts & 5. Recreating Secrets & Secret Migration
3. Vault FIPS1402 version
A successful transition to the Vault FIPS1402 binary version is confirmed via vault status -format=json | jq -r '.version'. Proceed next to 4. Recreating Seal-Wrap on Authentication & Secrets Mounts & 5. Recreating Secrets & Secret Migration
4. Recreating Seal-Wrap on Authentication & Secrets Mounts
Once a transitions to a FIPS compliant version & binary of Vault has been successfully achieved the pending actions that must be completed is to ensure that all existing mounts are setup anew with the parameter seal_wrap set to truesuch as:
VCPS='sw_kv2' ;
vault secrets enable -version=2 -path=${VCPS} -seal-wrap=true kv ;
VCPA='sw_approle2' ;
vault auth enable -path=${VCPA} -seal-wrap=true approle ;
The intent is to ensure that there are no authentication or secrets mounts listed as seal_wrap false under the detailed view for each - like for example:
# // All Authentication mounts:
vault auth list -format=json | jq -c 'to_entries|.[]|{path: .key, seal_wrap: .value.seal_wrap}'
# // All Secret mounts:
vault secrets list -format=json | jq -c 'to_entries|.[]|{path: .key, seal_wrap: .value.seal_wrap}'
Once all mounts are confirmed to be seal_wrapped then proceed onto 5. Recreating Secrets & Secret Migration
5. Recreating Secrets & Secret Migration
Please note that the copying and or migration of secrets is beyond the scope of this article.
What's more it may not be possible to copy or migrate existing values from all secret mounts.
However, in the case of KV (version 1 & 2) the following articles may be relevant and could be used to recreate by reading secretss from an existing source mount and recreating them anew onto the FIPS seal-wrapped mount.
Consider a similar approach and other tools that may facilitate the recreation of secrets specific to each mount type and whether that's possible.