Security at HashiCorp

We know our users place a high level of trust in HashiCorp and the products we make to manage mission critical infrastructure. The security of customer data, of our products, and our services are a top priority. HashiCorp’s best-in-class security starts at the foundational level and includes internal threat models, routine internal and external security assessments, and secure software development.

Security Team

HashiCorp has a fully staffed team of security professionals dedicated to securing, protecting and improving the security posture of the company and its products. The broader security team consists of:

  • Detection & Response
  • Cloud Security
  • Product Security
  • Corporate Information Security
  • Red Team, and
  • Governance, Risk and Compliance (GRC).

Compliance Program

We have a team dedicated to the compliance program and are committed to providing our customers with all relevant security documentation to build a foundation of trust in our company and products. We have recently passed a SOC 2 Type I audit, and are able to share our SOC 3 report. If you have any questions around our security program, please email security@hashicorp.com

Privacy

HashiCorp respects your privacy and is committed to protecting your Personal Information (any information that relates to an identified or identifiable individual). Our belief is that any Personal Information provided to us by you is just that: personal and private.

We do not rent, sell or trade your Personal Information.

Our full privacy policy is available at https://www.hashicorp.com/privacy For any privacy related questions, including Data Subject Requests, please email privacy@hashicorp.com.

Abuse

HashiCorp takes all abuse complaints seriously and can assist in investigation of abuse associated with HashiCorp-managed services.

Information regarding how to report abuse is available at https://www.hashicorp.com/abuse.

Penetration Tests

HashiCorp hires external, reputable third parties to perform regular security assessment and penetration testing of our products. Please email security@hashicorp.com for those reports.

Security Updates & Vulnerability Alerts

HashiCorp publishes security updates, which address security vulnerabilities in HashiCorp products, in the Security category of HashiCorp Discuss. This is directly accessible at https://discuss.hashicorp.com/c/security/.

Please follow the documented steps to subscribe to email notifications or RSS for all or product-specific HashiCorp security updates.

Vulnerability Reporting

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly.

If you would like to report a vulnerability in one of our products, or have security concerns regarding HashiCorp software, please email security@hashicorp.com.

In order for us to best respond to your report, please include any of the following:

  • Steps to reproduce or proof-of-concept
  • Any relevant tools, including versions used
  • Tool output

We take all disclosures very seriously and will do our best to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After our initial reply to your disclosure, which should be directly after receiving it, we will periodically update you with response and remediation status.

Secure Communications

If you would like to secure your communications with us, the following PGP key can be used. You can also fetch our key from Keybase or from most keyservers with the key ID 51852D87348FFC4C and fingerprint 91A6 E7F8 5D05 C656 30BE F189 5185 2D87 348F FC4C.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JAU4EEwEKADgWIQSRpuf4XQXG
VjC+8YlRhS2HNI/8TAUCXn0BIQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
CRBRhS2HNI/8TJITCACT2Zu2l8Jo/YLQMs+iYsC3gn5qJE/qf60VWpOnP0LG24rj
k3j4ET5P2ow/o9lQNCM/fJrEB2CwhnlvbrLbNBbt2e35QVWvvxwFZwVcoBQXTXdT
+G2cKS2Snc0bhNF7jcPX1zau8gxLurxQBaRdoL38XQ41aKfdOjEico4ZxQYSrOoC
RbF6FODXj+ZL8CzJFa2Sd0rHAROHoF7WhKOvTrg1u8JvHrSgvLYGBHQZUV23cmXH
yvzITl5jFzORf9TUdSv8tnuAnNsOV4vOA6lj61Z3/0Vgor+ZByfiznonPHQtKYtY
kac1M/Dq2xZYiSf0tDFywgUDIF/IyS348wKmnDGjuQENBFMORM0BCADWj1GNOP4O
wJmJDjI2gmeok6fYQeUbI/+Hnv5Z/cAK80Tvft3noy1oedxaDdazvrLu7YlyQOWA
M1curbqJa6ozPAwc7T8XSwWxIuFfo9rStHQE3QUARxIdziQKTtlAbXI2mQU99c6x
vSueQ/gq3ICFRBwCmPAm+JCwZG+cDLJJ/g6wEilNATSFdakbMX4lHUB2X0qradNO
J66pdZWxTCxRLomPBWa5JEPanbosaJk0+n9+P6ImPiWpt8wiu0Qzfzo7loXiDxo/
0G8fSbjYsIF+skY+zhNbY1MenfIPctB9X5iyW291mWW7rhhZyuqqxN2xnmPPgFmi
QGd+8KVodadHABEBAAGJATwEGAECACYCGwwWIQSRpuf4XQXGVjC+8YlRhS2HNI/8
TAUCXn0BRAUJEvOKdwAKCRBRhS2HNI/8TEzUB/9pEHVwtTxL8+VRq559Q0tPOIOb
h3b+GroZRQGq/tcQDVbYOO6cyRMR9IohVJk0b9wnnUHoZpoA4H79UUfIB4sZngma
enL/9magP1uAHxPxEa5i/yYqR0MYfz4+PGdvqyj91NrkZm3WIpwzqW/KZp8YnD77
VzGVodT8xqAoHW+bHiza9Jmm9Rkf5/0i0JY7GXoJgk4QBG/Fcp0OR5NUWxN3PEM0
dpeiU4GI5wOz5RAIOvSv7u1h0ZxMnJG4B4MKniIAr4yD7WYYZh/VxEPeiS/E1CVx
qHV5VVCoEIoYVHIuFIyFu1lIcei53VD6V690rmn0bp4A5hs+kErhThvkok3c
=+mCN
-----END PGP PUBLIC KEY BLOCK-----

Archive Checksum Verification

If you would like to verify the checksum of a HashiCorp download (such as one from the HashiCorp releases service), please note that only the SHASUM file is signed by the GPG key above. The archives themselves are not signed, but rather hashed. To verify the integrity of a particular archive:

  • Download the archive, SHASUM, and SHASUM.sig files
  • Verify the SHASUM file is properly signed
  • Verify the SHASUM in the file matches the archive

For example:

# This is the public key from above - one-time step.
gpg --import hashicorp.asc

# Download the archive and signature files.
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_linux_amd64.zip
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_SHA256SUMS
curl -Os https://releases.hashicorp.com/vault/0.5.2/vault_0.5.2_SHA256SUMS.sig

# Verify the signature file is untampered.
gpg --verify vault_0.5.2_SHA256SUMS.sig vault_0.5.2_SHA256SUMS

# Verify the SHASUM matches the archive.
shasum -a 256 -c vault_0.5.2_SHA256SUMS

Code Signature Verification

HashiCorp Authenticode signs Microsoft Windows executables and code signs Apple macOS executables.

Apple macOS

Use Apple's codesign utility to verify the integrity of an Apple macOS executable and pay attention to the TeamIdentifier field which should match the one below.

codesign --verify -d --verbose=2 /usr/local/bin/terraform

Executable=/usr/local/bin/terraform
Identifier=terraform
...
Authority=Developer ID Application: Hashicorp, Inc. (D38WU7D763)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
TeamIdentifier=D38WU7D763
...

Microsoft Windows

Use Microsoft's Get-AuthenticodeSignature cmdlet to verify the integrity of a Microsoft Windows executable and pay attention to the Thumbprint which should match the one below.

(Get-AuthenticodeSignature -FilePath terraform.exe).SignerCertificate | Format-List

Subject      : CN="HashiCorp, Inc.", O="HashiCorp, Inc.", L=San Francisco, S=California, C=US
Issuer       : CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Thumbprint   : 35AB9FC834D217E9E7B1778FB1B97AF7C73792F2
FriendlyName :
NotBefore    : 16/01/2020 00:00:00
NotAfter     : 20/01/2023 12:00:00
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
               System.Security.Cryptography.Oid...}