» Security

» Our Security Policy

We understand that many users place a high level of trust in HashiCorp and the tools we make to develop code, streamline devops, and manage mission critical infrastructure. HashiCorp makes the privacy of customer data and security of our tools and services a top priority. We apply best practices and focus on security to make sure we can maintain the trust of our customers.

» Privacy

Each HashiCorp product provides a published privacy policy that discloses what information may be collected and how it is used. Please see our individual products for their specific policy. For any specific questions, please contact security@hashicorp.com.

» Vulnerability Reporting

We deeply appreciate any effort to disclose responsibly.

If you would like to report a vulnerability, or have any security concerns with a HashiCorp product, please e-mail security@hashicorp.com. For non-critical matters, we prefer customers open a ticket with the appropriate product.

In order for us to best investigate your request, please include any of the following when reporting:

Proof of concept Any tools, including versions, used Tool output We take all disclosures very seriously and will do our best to rapidly respond and verify the vulnerability before taking the necessary steps to fix it. After our initial reply to your disclosure, which should be directly after receiving it, we will periodically update you with the status of the fix.

» Secure Communications

If you would like to secure your communications with us, the following PGP key can be used. You can also fetch our key from Keybase or from most keyservers with the key ID 51852D87348FFC4C and fingerprint 91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
=LYpS
-----END PGP PUBLIC KEY BLOCK-----

» Checksum Verification

If you would like to verify the checksum of a HashiCorp download (such as one from the HashiCorp releases service), please note that only the SHASUM file is signed by the GPG key above. The binaries themselves are not signed, but rather hashed. To verify the integrity of a particular binary:

  • Download the binary, SHASUM, and SHASUM.sig files
  • Verify the SHASUM file is properly signed
  • Verify the SHASUM in the file matches the binary

For example:

# This is the public key from above - one-time step.
gpg --import hashicorp.asc

# Download the binary and signature files.
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_linux_amd64.zip
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_SHA256SUMS
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_SHA256SUMS.sig

# Verify the signature file is untampered.
gpg --verify vault_0.5.2_SHA256SUMS.sig vault_0.5.2_SHA256SUMS

# Verify the SHASUM matches the binary.
shasum -a 256 -c vault_0.5.2_SHA256SUMS
close modal

Request a Demo

Fill out the form below and we'll reach out to discuss a product demo.

check mark
check mark
check mark
check mark
Trusted by
  • Adobe Logo
  • Barclays Logo
  • Cisco Logo
  • Citadel Logo
  • Digital Ocean Logo
  • Hewlett Packard Enterprise Logo
  • SAP Arabia Logo
  • New Relic Logo
  • Pinterest Logo
  • Segment Logo
  • Spaceflight Logo
  • Stripe Logo