Security at HashiCorp

We know our users place a high level of trust in HashiCorp and the products we make to manage mission critical infrastructure. The security of customer data, of our products, and our services are a top priority. HashiCorp’s best-in-class security starts at the foundational level and includes internal threat models, routine internal and external security assessments, and secure software development.

Security Team

HashiCorp has a fully staffed team of security professionals dedicated to securing, protecting and improving the security posture of the company and its products. The broader security team consists of:

Detection & Response
Cloud Security
Product Security
Corporate Information Security
Red Team, and
Governance, Risk and Compliance (GRC).

Compliance Program

We have a team dedicated to our compliance program and are committed to providing our customers with all relevant security documentation to build a foundation of trust in our company and products. As of December 2020, we now have a SOC 2 Type II report, and an ISO 27001 certification covering the following Products:

Enterprise Products
Cloud Products
- HashiCorp Cloud Platform (HCP)
- Terraform Cloud (TFC)

ISO 27001, 27017, 27018
ISO 27001 is a compliance framework that focuses on security and risk management processes.
Download our ISO 27001 certificate for all products
ISO 27017 is a compliance framework that focuses on security controls for cloud services.
Download our ISO 27017 certificate for HCP Consul, HCP Vault, and TFC
ISO 27018 is a compliance framework that focuses on privacy controls for cloud services.
Download our ISO 27018 certificate for HCP Consul, HCP Vault, and TFC
SOC 2
SOC 2 is a restricted use audit report that focuses on controls relevant to security, availability, and confidentiality of a cloud service or product.
Download our SOC 2 Type II report for our Enterprise and Cloud Products
SOC 3
SOC 3 is a general use audit report that focuses on controls relevant to security, availability, and confidentiality of a cloud service or product.
Download our SOC 3 for report for our Enterprise and Cloud Products

If you have any additional questions around our security program, please email customertrust@hashicorp.com

Penetration Tests

HashiCorp hires external, reputable third parties to perform regular security assessment and penetration testing of our products. Please email customertrust@hashicorp.com for those reports.

Privacy

HashiCorp respects your privacy and is committed to protecting your Personal Information (any information that relates to an identified or identifiable individual). Our belief is that any Personal Information provided to us by you is just that: personal and private.

We do not rent, sell or trade your Personal Information.

Our full privacy policy is available at https://www.hashicorp.com/privacy. To submit a data subject request please visit privacy.hashicorp.com. For any privacy related questions, please email privacy@hashicorp.com.

Abuse

HashiCorp takes all abuse complaints seriously and can assist in investigation of abuse associated with HashiCorp-managed services.

Information regarding how to report abuse is available at https://www.hashicorp.com/abuse.

Security Updates & Vulnerability Alerts

HashiCorp publishes security updates, which address security vulnerabilities in HashiCorp products, in the Security category of HashiCorp Discuss. This is directly accessible at https://discuss.hashicorp.com/c/security/.

Please follow the documented steps to subscribe to email notifications or RSS for all or product-specific HashiCorp security updates.

Vulnerability Reporting

We deeply appreciate any effort to discover and coordinate the disclosure of security vulnerabilities. HashiCorp does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports, but individuals may be acknowledged in product security bulletins as appropriate.

If you would like to report a vulnerability in one of our products or services, or have security concerns regarding HashiCorp software or systems, please email security@hashicorp.com.

To support a timely and effective response to your report, please include any of the following:

Steps to reproduce or proof-of-concept
Any relevant tools, including versions used
Tool output

HashiCorp takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, which should be directly after receiving it, we will update you periodically with our response and remediation status.

Security issues related to HashiCorp-owned domains/properties that we have already assessed for risk and will address in future include:

HTTPS configuration, including supported TLS versions & ciphersuites
HTTP headers, for purposes including Strict Transport Security, Content Security Policy, and clickjacking/XSS protection
DNS records including those related to email (SPF, DKIM, DMARC) and certificate issuance (CAA).

PGP Public Key

HashiCorp’s current PGP public key can be fetched from Keybase or from most keyservers with the key ID 72D7468F and fingerprint C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F. It is also included in full at the bottom of this page.

Secure Communications

The current PGP public key referenced above can be used to encrypt email to security@hashicorp.com.

Release Archive Checksum Verification

If you would like to verify the checksum of a HashiCorp download (such as one from the HashiCorp releases service), please note that only the SHA256SUM file is signed by the GPG key above. The archives themselves are not signed, but rather hashed. To verify the integrity of a particular archive:

Download the archive, SHA256SUM, and SHA256SUM.sig files (multiple .sig files may be present, named with the associated signing PGP key ID)
Verify the SHA256SUM file is properly signed
Verify the SHA256SUM in the file matches the archive

For example:

# Import the public key as referenced above, or available in full below.
gpg --import hashicorp.asc

# Download the archive and signature files.
curl -Os https://releases.hashicorp.com/vault/1.7.1/vault_1.7.1_linux_amd64.zip
curl -Os https://releases.hashicorp.com/vault/1.7.1/vault_1.7.1_SHA256SUMS
curl -Os https://releases.hashicorp.com/vault/1.7.1/vault_1.7.1_SHA256SUMS.sig

# Verify the signature file is untampered.
gpg --verify vault_1.7.1_SHA256SUMS.sig vault_1.7.1_SHA256SUMS

# Verify the SHASUM matches the archive.
shasum -a 256 -c vault_1.7.1_SHA256SUMS

Linux Package Checksum Verification

HashiCorp's Linux repositories and packages, as announced in 2020, are signed with a separate GPG key. This is available at https://rpm.releases.hashicorp.com/gpg and https://apt.releases.hashicorp.com/gpg, and has the fingerprint 798A EC65 4E5C 1542 8C8E 42EE AA16 FCBC A621 E701.

Please note that there was a previous signing key used prior to January 23, 2023, which had the fingerprint E8A0 32E0 94D8 EB4E A189 D270 DA41 8C88 A321 9F7B. Details about this change are available on the status page: https://status.hashicorp.com/incidents/fgkyvr1kwpdh, https://status.hashicorp.com/incidents/k8jphcczkdkn.

Code Signature Verification

HashiCorp Authenticode signs Microsoft Windows executables and code signs Apple macOS executables.

Apple macOS

Use Apple's codesign utility to verify the integrity of an Apple macOS executable and pay attention to the TeamIdentifier field which should match the one below.

codesign --verify -d --verbose=2 /usr/local/bin/terraform

Executable=/usr/local/bin/terraform
Identifier=terraform
...
Authority=Developer ID Application: Hashicorp, Inc. (D38WU7D763)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
TeamIdentifier=D38WU7D763
...

Microsoft Windows

Windows binaries may be signed by certificates with thumbprints matching 6F1DCD6FE62C173708E26E25D19656E413277816 or 35AB9FC834D217E9E7B1778FB1B97AF7C73792F2.

Use Microsoft's Get-AuthenticodeSignature cmdlet to verify the integrity of a Microsoft Windows executable. For example:

(Get-AuthenticodeSignature -FilePath terraform.exe).SignerCertificate | Format-List

Subject      : CN="HashiCorp, Inc.", O="HashiCorp, Inc.", L=San Francisco, S=California, C=US
Issuer       : CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Thumbprint   : 35AB9FC834D217E9E7B1778FB1B97AF7C73792F2
FriendlyName :
NotBefore    : 16/01/2020 00:00:00
NotAfter     : 20/01/2023 12:00:00
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
               System.Security.Cryptography.Oid...}

HashiCorp's PGP Public Key

As described above, HashiCorp's current PGP public key has ID 72D7468F / fingerprint C874 011F 0AB4 0511 0D02 1055 3436 5D94 72D7 468F and is:

Cloud operating model

Our customers