As organizations adopt DevSecOps principles for rapid application delivery, they are heavily leveraging HashiCorp vault to centrally manage and deliver appropriate secrets to the applications. Vault stores thousands or even millions of highly sensitive secrets in such environments and encrypts them in storage to prevent any unauthorized access. Thales HSM solutions encrypt the Vault master key in a hardware root of trust to provide maximum security and comply with regulatory requirements. In this video, we discuss how organizations can enhance vault’s security controls by leveraging Thales Luna HSM to meet the most stringent compliance regulations & automate their DevOps processes.

Today’s large enterprises operate across many boundaries, acting as a virtual organization in multiple cities and countries. One department that commonly combines efforts from widely dispersed individuals is software development. DevOps, or the processes that enable application development and operations to be combined, adds complexity and security risks not previously seen when programmers were all on-site, behind a firewall, and with access only to development environments. Along with the agility and scale that DevOps brings, if not implemented correctly, DevOps processes can be impeded and hacked, adding development time and security risks to the end product.

Addressing this growing need to secure enterrise-class DevOps, Thales has partnered with Venafi and HashiCorp to provide an end-to-end solution for implementing a secure DevOps environment.

Resources and Additional Information

HashiCorp Vault centrally secures, stores, and tightly controls access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API. Organizations use HashiCorp Vault to solve security challenges as they adopt cloud and DevOps.

Solution Advantages

The integration between Thales HSM solutions and HashiCorp Vault enables key advantages:

Master Key Wrapping: Thales HSM solutions encrypt the Vault master key in a hardware root of trust to provide maximum security and comply with regulatory requirements.

Automated Unseal: Master keys are encrypted and stored by the Thales HSMs, allowing users to automatically unseal Vault, using the key stored within the HSM. This eliminates the need for manual unsealing normally done by providing a pre-set minimum number of unseal keys, thereby improving the security posture.

Resources and Additional Information

HashiCorp PKI secrets engine generates dynamic X.509 certificates so services can get certificates without going through the manual processes of generating private keys and certificate signing requests, submitting to a certificate authority, and waiting for verification and signing to complete. HashiCorp Vault's built-in authentication and authorization functionality verify PKI certificates and their secure provisioning. Applications can fetch and store certificates in memory on startup, and discard them on shutdown, without the certificates ever being written to disk.

Beginning with version 1.10, HashiCorp Vault allows organizations to configure access to keys stored in a Thales Luna HSM (Hardware Security Module). Organizations can offload the generation of PKI keys and signing operations to a secure, purpose-built FIPS 140-2 Level 3 validated appliance.

Securely storing private keys is integral to the protection of the Asymmetric Key Cryptography used in public key infrastructure. Compromised root keys threaten the credibility of financial transactions, business processes, and intricate access control systems. It is essential that organization protect their private keys with the highest level of security possible by using a Thales Luna HSM.

Resources and Additional Information