Introduction
Below are some of the Frequently Asked Questions in regards to Seal Wrap functionality in Vault Enterprise.
Prerequisites
Seal Wrap is only available in Vault Enterprise.
Questions and Answers
Q: I noticed that the KV writes with Vault Seal Wrap is significantly slower compare to before when Seal Wrap was not enabled. Is there a way to optimize this?
A: From our docs: Note that it is often an order of magnitude or two slower to write to and read from HSMs or remote seals. However, values will be cached in memory un-seal-wrapped (but still encrypted by Vault's built-in cryptographic barrier) in Vault, which will mitigate this for read-heavy workloads.
The seal wrap is essentially a double encrypted operation, and requires a call to your HSM or KMS provider. This does mean network round trip time, in addition to the encryption time in Vault, plus putting it in storage (disk I/O). The flow for Seal Wrap is: plaintext -> Vault barrier encryption -> HSM encryption -> storage.
Due to above reasons, it is important to optimize your application so that it performs less KV writes and perform the writes during non-peak hours if performance is a major concern.
Q: Is Vault Seal Wrap Feature FIPS Compliant*?
A: According to our docs, Vault's Seal Wrap feature has been evaluated by Leidos for compliance with FIPS 140-2 requirements when using a FIPS 140-2-compliant HSM on pkcs11 seals. The compliance letter is can be found here. Note that it is the client's responsibility to check and perform its own audit to see if the whole workflow is FIPS 140-2 Compliant or not as the compliance letter only covers the seal wrapping feature when using a complaint HSM.
Q: I am using a non-HSM auto-unseal such as KMS with Vault Seal Wrap, would it be FIPS Compliant*?
A: While some Cloud KMS vendors such as AWS/GCP may use FIPS 140-2 validated HSM behind on its infrastructure, but the current compliance letter that Vault has assumes it is on pkcs11 seals.
Q: I am moving from OSS to Ent+HSM versions, will existing mounts (e.g. KV mount points) be sealed after the upgrades?
A: The existing mount points (e.g. KV mount points) won't be seal wrapped after you upgrade. It is necessary to create new mount points and migrate the existing secrets there (either manually or via script).
*Note
In regards to the compliance letter, note that it could change in the future as our product team has been constantly interacting with auditors to get different items being tested. Please do not assume that this KB has the latest information. If in doubt, please reference the our official compliance page for the latest information in regards to FIPS compliance. And please do feel free to raise a support ticket for further clarification.