Vault
Understand available Vault editions
HashiCorp Vault is available in several editions depending on your unique business and technical requirements. In this tutorial, you assume the role of Alice from the architect team to learn about the different editions and select one for the HashiCups Vault proof-of-concept project.
Scenario
After learning about the challenges Vault can solve, Alice needs to decide which edition the HashiCups engineering team will use during its proof-of-concept. The team from HashiCorp will review the different editions of Vault with Alice.
Available Vault editions
Within the Vault family of products, there are two editions offered by HashiCorp - Vault Community Edition and Vault Enterprise.
Both community and enterprise editions offer similar capabilities to enable secrets management, limit secret sprawl, and encryption of data in transit and at rest.
Enterprise offers additional features to enable use cases such as disaster recovery, sync secrets from Vault to other cloud service providers, and advanced event management.
Features | Community | Enterprise |
---|---|---|
Integrated Storage and Consul backend | ✅ | ✅ |
Third party storage backend | ✅ | ❌ |
HSM auto-unseal | ✅ | ✅ |
Multi-factor authentication (auth) | ✅ | ✅ |
Multi-factor authentication (path) | ❌ | ✅ |
Single sign-on support | ✅ | ✅ |
Security Assertion Markup Language (SAML) | ❌ | ✅ |
Observability data and audit logs | ✅ | ✅ |
Event notifications and filtering | ✅ | ✅ |
Cloud provider authentication support | ✅ | ✅ |
Kubernetes authentication support | ✅ | ✅ |
Static secrets engine | ✅ | ✅ |
Dynamic secrets engines | ✅ | ✅ |
Secrets import | ❌ | ✅ |
Secrets sync | ❌ | ✅ |
Control groups | ❌ | ✅ |
Sentinel | ❌ | ✅ |
FIPS 140-2 & seal wrap | ❌ | ✅ |
KMIP secrets engine | ❌ | ✅ |
Key management secrets engine | ❌ | ✅ |
Transform secrets engine | ❌ | ✅ |
Performance replication | ❌ | ✅ |
Disaster Recovery (DR) replication | ❌ | ✅ |
Which Vault edition should HashiCups consider to support disaster recovery replication?
Vault Enterprise supports disaster recovery replication.
Deployment options
There are different deployment options available to support HahsiCups business needs. Vault Community edition supports a self-managed deployment model.
Vault Enterprise can also be in a self-managed environment, but is also available as a managed service through the HashiCorp Cloud Platform (HCP).
When deploying in a self-managed model, HashiCups would be responsible for the design, deployment, security, reliability, scaling, and upgrading for the Vault cluster. When using HCP Vault Dedicated, HashiCups would only need to select the appropriate size and tier for the Vault cluster.
Some features such as FIPS 140-2 and seal wrapping are not available with the HCP deployment option.
Select a Vault edition
(Persona: architect)
As the lead architect for the project, Alice needs to map business requirements to the features available between Vault Community edition and Vault Enterprise.
Alice creates the following table to map HashiCups business requirements to the Vault features they would like to test during the POC.
Business requirements | Community | Enterprise |
---|---|---|
Data encrypted in transit and at rest | ✅ | ✅ |
Restrict access to cloud environments | ✅ | ✅ |
Time box access to cloud environments | ✅ | ✅ |
Securely store API keys, passwords, certs | ✅ | ✅ |
Disaster recovery support | ❌ | ✅ |
Scale to meet business demand | ❌ | ✅ |
Not isolated to specific cloud provider | ✅ | ✅ |
After reviewing the business requirements, Alice determines that Vault Community edition may not meet production requirements. Alice meets with the architect team to share their thoughts that Vault Community edition does support enough of the HashiCups requirements to use it for the POC. They also agree that Vault Community edition has a valid use case for non-production environments such as developer use.
Summary
Vault is available in two editions - Vault Community and Vault Enterprise. Both editions support multiple installation and deployment options, with Vault Enterprise also available from the HashiCorp Cloud Platform (HCP).