vault

Securing VMware and NetApp Data with HashiCorp Vault

Jun 15 2020Justin Weissig

We are excited to announce that HashiCorp Vault Enterprise has successfully completed product compatibility validations for both VMware vSphere and NetApp ONTAP. Vault Enterprise can be used as a flexible, very cost-effective, and scalable external key manager solution using the built-in Key Management Interoperability Protocol (or KMIP) standard for securing and encrypting storage systems.

If you would like to learn more, we have released two new white papers that highlight these certified integrations:

»Key Management Interoperability Protocol (KMIP)

Back in Vault Enterprise 1.2, we announced the introduction of a new Secret Engine that supports Vault serving as a KMIP Server for client requests. This allows Vault to integrate with an ecosystem of over a hundred common enterprise platforms for use cases such as Transparent Database Encryption (TDE); Full Disk Encryption (FDE) and virtual volume encryption; and multi-cloud/hybrid cloud key Bring Your Own Key (“BYOK”) key management.

»Challenge

Organizations often store highly sensitive, personal data, which must be protected. Leakage of such data can lead to financial loss, reputational damage, legal ramifications, and more. There are often requirements to comply with data protection standards and regulations like the PCI DSS, GDPR, HIPAA, etc.

The OASIS Key Management Interoperability Protocol (KMIP) standard is a widely adopted protocol for handling cryptographic workloads and secrets management for enterprise infrastructure such as databases, network storage, and virtual/physical servers.

When an organization has services and applications that need to perform cryptographic operations (e.g. transparent database encryption, full disk encryption, etc., it often delegates the key management task to an external provider via KMIP protocol. As a result, your organization may have existing services or applications that implement KMIP or use wrapper clients with libraries/drivers that implement KMIP. This makes it difficult for an organization to adopt the Vault API in place of KMIP.

»Solution

Vault Enterprise v1.2 introduced the KMIP secrets engine which allows Vault to act as a KMIP server for clients that retrieve cryptographic keys for encrypting data via KMIP protocol.

Vault's KMIP secrets engine manages its own listener to service KMIP requests which operate on KMIP managed objects. Vault policies do not come into play during these KMIP requests. The KMIP secrets engine determines the set of KMIP operations the clients are allowed to perform based on the roles that are applied to a TLS client certificate.

This enables existing systems to continue using the KMIP APIs instead of Vault APIs.

»Securing VMware Data with HashiCorp Vault

Using KMIP, Vault Enterprise and VMware can be seamlessly integrated to secure data within a VMware environment. Vault recently completed VMware product compatibility validation against vSphere 6.5 and 6.7 to satisfy our customers' requirements for certified solutions when using Vault and VMware. See the VMware Compatibility Guide for the latest validations of Vault with vSphere.

Please review the HashiCorp Vault Enterprise Securing VMware Data white paper to learn more about this certified integration.

»Securing NetApp Data with HashiCorp Vault

HashiCorp’s Vault Enterprise on the other hand can be used as a flexible, very cost-effective, and scalable external key manager solution. It is certified by NetApp, supports the OASIS KMIP protocol, and integrates with any PKCS #11 compliant HSM. Vault recently completed NetApp product interoperability validation against ONTAP 9.7, 9.6, and 9.3 to satisfy our customers' requirements for certified solutions when using Vault and NetApp. See NetApp’s Interoperability Matrix Tool (IMT) for the latest validations of Vault with NetApp.

Please review the HashiCorp Vault Enterprise Securing NetApp Data white paper to learn more about this certified integration.

»Summary

When using HashiCorp Vault Enterprise as an external key manager for backend storage encryption, organizations can save money, time, and resources. Vault is fully software-based and scalable and offers multiple integrations including for public clouds. It offers great automation capabilities that reduce risks.

»Additional Resources

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

How secret scanning works
April 18 2024 | Products & Technology
How secret scanning works

HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.

Secrets sync now available on Vault Enterprise to manage secrets sprawl
April 11 2024 | Products & Technology
Secrets sync now available on Vault Enterprise to manage secrets sprawl

Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.

A blueprint for cloud success with HashiCorp at Google Cloud Next
April 11 2024 | Products & Technology
A blueprint for cloud success with HashiCorp at Google Cloud Next

A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.