Using HashiCorp Vault with Google Confidential Computing

We are excited to announce that HashiCorp Vault is now validated on Google Cloud Platform’s Confidential Computing service. Confidential Computing allows HashiCorp Vault to operate in environments with resilient host based security that adds additional protection through the use of memory encryption.

»What Is Confidential Computing

Confidential Computing is a new technique for protecting data and applications in memory. HashiCorp Vault enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines and applications. When combined with Google Cloud Platform’s Confidential Computing capabilities, confidentiality can be extended to the HashiCorp Vault server’s system memory, ensuring that malware, or malicious privileged users, or 0 days on the host cannot compromise data.

In the past, when sensitive data such as keys, certificates, or other secrets data had to be processed in memory, there were not any easy solutions to keep that data protected. When loading data into memory traditionally this was in clear text, however with the advent of confidential computing your data is now encrypted using hardware. We recommend production users of Vault review our production hardening guide which provides guidance on best practices, based on Vault’s security model with a focus on keeping secret data secure.

»How It Works

Google Cloud's first product in the confidential computing space is Confidential VMs. Confidential VMs leverage 2nd Gen AMD EPYC™ CPUs with Secure Encrypted Virtualization extension enabled. Confidential VMs encrypt memory of the guest VMs using hardware with the keys generated by an AMD secure processor. The key used to encrypt this memory are unique and randomly generated per VM, and most importantly, they are non-extractable, meaning neither Google nor AMD nor anyone else will be able to access or extract these keys.

The firmware and kernel of the Confidential VMs OS is hardened and monitored for any changes. In addition, Confidential VMs provide evidence to the customers about the fact that their applications and data processing is done in confidential computing environments with audit records sent to the cloud logging service.

HashiCorp Vault allows organizations to eliminate system complexity where any mistakes and misconfiguration can lead to the breaches or data-leakage that in turn can halt operations and erode trust across customers. Together, HashiCorp Vault and Google’s Confidential Computing helps organizations manage their most critical secrets and assets. This includes the entire life cycle, from creation to sharing and distribution, to the revocation or expiration of credentials and secretes.

Google’s Confidential Computing approach allows users to encrypt data in use without making any code changes to their applications or having to compromise applications’ performance.

Because of this ease of use and no performance degradation, HashiCorp Vault gains additional levels of cryptographic isolation when processing or operating all secrets in memory.

In the following video, Nelly Porter, Product Manager for Google Cloud, walks through what the GCP Confidential Computing VMs look like, and gets hands-on at the console.

»Next Steps

In order to get started with Vault on Confidential Compute nodes in Google Cloud Platform, first you must create a VM instance with the Confidential VM service enabled. Then, to run Vault, make sure that the VM is running either Debian/Ubuntu or CentOS/RedHat variants of Linux. Next, you can use the instructions for installing Vault from the HashiCorp Linux repositories. Finally, you can use the Getting started on Vault to get hands on with Vault in development mode.