Vault
Vault interoperability matrix
To support a variety of use cases, Vault verifies protocol implementation and integrations with partner products, appliances, and applications that support advanced data protection features.
Is your integration missing?
Join the Vault integration program to get your integration verified and added or reach out to technologypartners@hashicorp.com with questions.
IPv6 validation and compliance
Vault Enterprise supports IPv6 in compliance with OMB Mandate M-21-07 and Federal IPv6 policy requirements for the following operating systems and storage backends.
Self-attested testing covers functionality related to HSM, FIPS 140-2, and HSM/FIPS 140-2.
Operating system | OS version | Validation | Vault version |
---|---|---|---|
FreeBSD | N/A | N/A | Untested |
Linux | Amazon Linux (versions 2023) | Self-attested | ent-1.18+ |
Linux | openSUSE Leap (version 15.6) | Self-attested | ent-1.18+ |
Linux | RHEL (versions 8.10, 9.4) | Self-attested | ent-1.18+ |
Linux | SUSE SLES (version 15.6) | Self-attested | ent-1.18+ |
Linux | Ubuntu (versions 20.04, 24.04) | Self-attested | ent-1.18+ |
MacOS | N/A | N/A | Untested |
NetBSD | N/A | N/A | Untested |
OpenBSD | N/A | N/A | Untested |
Windows | N/A | N/A | Untested |
IPv6 limitations for Windows
IPv6 does not work with external plugins (plugins not built into Vault) when running on Windows in server mode because they default to IPv4 and Vault cannot override that behavior.
Backend storage system | Validation | Vault version |
---|---|---|
Consul | N/A | Untested |
Integrated Raft storage | Self-attested | ent-1.18+ |
Auto unsealing and HSM support
Hardware Security Module (HSM) support reduces the operational complexity of securing unseal keys by delegating the responsibility of securing unseal keys to trusted devices or services (instead of humans). At startup, Vault connects to the delegate device or service and provides an encrypted root key for decryption.
Vault implements HSM support with the following features:
Feature | Introduced |
---|---|
Auto unsealing | Vault 0.9 |
Entropy augmentation | Vault 1.3 |
Seal wrapping | Vault 0.9 |
The following table outlines the implementation status of HSM-related features for partners products and the minimum Vault version required for verified functionality.
Partner | Product | Auto unseal | Entropy augment | Seal wrap | Managed keys | Vault verified |
---|---|---|---|---|---|---|
AliCloud | AliCloud KMS | Yes | No | Yes | No | 0.11.2+ |
Atos | Trustway Proteccio HSM | Yes | Yes | Yes | No | 1.9+ |
AWS | AWS KMS | Yes | Yes | Yes | Yes | 0.9+ |
Crypto4a | QxEDGE&tm; HSP | Yes | Yes | Yes | Yes | 1.9+ |
Entrust | nShield HSM | Yes | Yes | Yes | Yes | 1.3+ |
Fortanix | FX2200 Series | Yes | Yes | Yes | No | 0.10+ |
FutureX | Vectera Plus, KMES Series 3 | Yes | Yes | Yes | Yes | 1.5+ |
FutureX | VirtuCrypt cloud HSM | Yes | Yes | Yes | Yes | 1.5+ |
GCP Cloud KMS | Yes | No | Yes | Yes | 0.9+ | |
Marvell | Cavium HSM | Yes | Yes | Yes | Yes | 1.11+ |
Microsoft | Azure Key Vault | Yes | No | Yes | Yes | 0.10.2+ |
Oracle | OCI KMS | Yes | No | Yes | No | 1.2.3+ |
PrimeKey | SignServer Hardware Appliance | Yes | Yes | Yes | No | 1.6+ |
Private Machines | ENFORCER Blade | Yes | No | Yes | No | 1.17.3+ |
Qrypt | Quantum Entropy Service | No | Yes | No | No | 1.11+ |
Quintessence Labs | TSF 400 | Yes | Yes | Yes | No | 1.4+ |
Securosys SA | Primus HSM | Yes | Yes | Yes | Yes | 1.7+ |
Thales | Luna HSM | Yes | Yes | Yes | Yes | 1.4+ |
Thales | Luna TCT HSM | Yes | Yes | Yes | Yes | 1.4+ |
Thales | CipherTrust Manager | Yes | Yes | Yes | No | 1.7+ |
Utimaco | HSM | Yes | Yes | Yes | Yes | 1.4+ |
Yubico | YubiHSM 2 | Yes | Yes | Yes | Yes | 1.17.2+ |
External key management (EKMS)
Vault centrally manages and automates encryption keys across environments so customers can manage external encryption keys used in third party services and products with the following plugins:
Abbreviation | Full plugin name |
---|---|
EKMMSSQL | Vault EKM provider for SQL server |
KV | Key/Value secrets engine |
KMSE | Key Management secrets engine |
KMIP | KMIP secrets engine |
PKCS#11 | PKCS#11 provider |
Transit | Transit secrets engine |
Vault verified vs HCP Vault verified
HCP Vault verified integrations work with the current version HCP Vault Dedicated. Self-managed Vault instances must meet the required minimum version for verification guarantees.
The table below indicates the plugin support for partner products, the verification status for HCP Vault Dedicated and the minimum Vault version required for verified behavior in self-managed Vault instances:
Partner | Product | Vault plugin | Vault verified | HCP Vault verified |
---|---|---|---|---|
AWS | AWS KMS | KMSE | 1.8+ | Yes |
Baffle | Shield | KV | 1.3+ | No |
Bloombase | StoreSafe | KMIP | 1.9+ | N/A |
Cloudian | HyperStore 7.5.1 | KMIP | 1.12+ | N/A |
Cockroach Labs | Cockroach Cloud DB | KMSE | 1.10+ | N/A |
Cockroach Labs | Cockroach DB | Transit | 1.10+ | Yes |
Cohesity | Cohesity DataPlatform | KMIP | 1.13.2+ | N/A |
Commvault Systems | CommVault | KMIP | 1.9+ | N/A |
Cribl | Cribl Stream | KV | 1.8+ | Yes |
DataStax | DataStax Enterprise | KMIP | 1.11+ | Yes |
Dell | PowerMax | KMIP | 1.12.1+ | N/A |
Dell | PowerProtect DDOS 8.0.X | KMIP | 1.15.2+ | N/A |
EnterpriseDB | Postgres Advanced Server | KMIP | 1.12.6+ | N/A |
Garantir | GaraSign | Transit | 1.5+ | Yes |
Google KMS | KMSE | 1.9+ | N/A | |
HPE | Exmeral Data Fabric | KMIP | 1.2+ | N/A |
Intel | Key Broker Service | KMIP | 1.11+ | N/A |
JumpWire | JumpWire | KV | 1.12+ | Yes |
Micro Focus | Connected Mx | Transit | 1.7+ | No |
Microsoft | Azure Key Vault | KMSE | 1.6+ | N/A |
Microsoft | MSSSQL | EKMMSSQL | 1.9+ | No |
MinIO | Key Encryption Service | KV | 1.11+ | No |
MongoDB | Atlas | KMSE | 1.6+ | N/A |
MongoDB | MongoDB Enterprise | KMIP | 1.2+ | N/A |
MongoDB | Client Libraries | KMIP | 1.9+ | N/A |
NetApp | ONTAP | KMIP | 1.2+ | N/A |
NetApp | StorageGrid | KMIP | 1.2+ | N/A |
Nutanix | AHV/AOS 6.5.1.6 | KMIP | 1.12+ | N/A |
Ondat | Trousseau | Transit | 1.9+ | Yes |
Oracle | MySQL | KMIP | 1.2+ | N/A |
Oracle | Oracle 19c | PKCS#11 | 1.11+ | N/A |
Percona | Server 8.0 | KMIP | 1.9+ | N/A |
Percona | XtraBackup 8.0 | KMIP | 1.9+ | N/A |
Rubrik | CDM 9.1 (Edge) | KMIP | 1.16.2+ | N/A |
Scality | Scality RING | KMIP | 1.12+ | N/A |
Snowflake | Snowflake | KMSE | 1.6+ | N/A |
Veeam | Karsten K10 | Transit | 1.9+ | N/A |
Veritas | NetBackup | KMIP | 1.13.9+ | N/A |
VMware | vSphere 7.0, 8.0 | KMIP | 1.2+ | N/A |
VMware | vSan 7.0, 8.0 | KMIP | 1.2+ | N/A |
Yugabyte | Yugabyte Platform | Transit | 1.9+ | No |