Securing VMware and NetApp Data with HashiCorp Vault
We are excited to announce that HashiCorp Vault Enterprise has successfully completed product compatibility validations for both VMware vSphere and NetApp ONTAP. Vault Enterprise can be used as a flexible, very cost-effective, and scalable external key manager solution using the built-in Key Management Interoperability Protocol (or KMIP) standard for securing and encrypting storage systems.
If you would like to learn more, we have released two new white papers that highlight these certified integrations:
- HashiCorp Vault Enterprise Securing VMware Data Whitepaper
- HashiCorp Vault Enterprise Securing NetApp Data Whitepaper
» Key Management Interoperability Protocol (KMIP)
Back in Vault Enterprise 1.2, we announced the introduction of a new Secret Engine that supports Vault serving as a KMIP Server for client requests. This allows Vault to integrate with an ecosystem of over a hundred common enterprise platforms for use cases such as Transparent Database Encryption (TDE); Full Disk Encryption (FDE) and virtual volume encryption; and multi-cloud/hybrid cloud key Bring Your Own Key (“BYOK”) key management.
» Challenge
Organizations often store highly sensitive, personal data, which must be protected. Leakage of such data can lead to financial loss, reputational damage, legal ramifications, and more. There are often requirements to comply with data protection standards and regulations like the PCI DSS, GDPR, HIPAA, etc.
The OASIS Key Management Interoperability Protocol (KMIP) standard is a widely adopted protocol for handling cryptographic workloads and secrets management for enterprise infrastructure such as databases, network storage, and virtual/physical servers.
When an organization has services and applications that need to perform cryptographic operations (e.g. transparent database encryption, full disk encryption, etc., it often delegates the key management task to an external provider via KMIP protocol. As a result, your organization may have existing services or applications that implement KMIP or use wrapper clients with libraries/drivers that implement KMIP. This makes it difficult for an organization to adopt the Vault API in place of KMIP.
» Solution
Vault Enterprise v1.2 introduced the KMIP secrets engine which allows Vault to act as a KMIP server for clients that retrieve cryptographic keys for encrypting data via KMIP protocol.
Vault's KMIP secrets engine manages its own listener to service KMIP requests which operate on KMIP managed objects. Vault policies do not come into play during these KMIP requests. The KMIP secrets engine determines the set of KMIP operations the clients are allowed to perform based on the roles that are applied to a TLS client certificate.
This enables existing systems to continue using the KMIP APIs instead of Vault APIs.
» Securing VMware Data with HashiCorp Vault
Using KMIP, Vault Enterprise and VMware can be seamlessly integrated to secure data within a VMware environment. Vault recently completed VMware product compatibility validation against vSphere 6.5 and 6.7 to satisfy our customers' requirements for certified solutions when using Vault and VMware. See the VMware Compatibility Guide for the latest validations of Vault with vSphere.
Please review the HashiCorp Vault Enterprise Securing VMware Data white paper to learn more about this certified integration.
» Securing NetApp Data with HashiCorp Vault
HashiCorp’s Vault Enterprise on the other hand can be used as a flexible, very cost-effective, and scalable external key manager solution. It is certified by NetApp, supports the OASIS KMIP protocol, and integrates with any PKCS #11 compliant HSM. Vault recently completed NetApp product interoperability validation against ONTAP 9.7, 9.6, and 9.3 to satisfy our customers' requirements for certified solutions when using Vault and NetApp. See NetApp’s Interoperability Matrix Tool (IMT) for the latest validations of Vault with NetApp.
Please review the HashiCorp Vault Enterprise Securing NetApp Data white paper to learn more about this certified integration.
» Summary
When using HashiCorp Vault Enterprise as an external key manager for backend storage encryption, organizations can save money, time, and resources. Vault is fully software-based and scalable and offers multiple integrations including for public clouds. It offers great automation capabilities that reduce risks.
» Additional Resources
Sign up for the latest HashiCorp news
More blog posts like this one
Vault integrations with MongoDB, Private Machines, and walt.id strengthen customer security
Three new HashiCorp Vault ecosystem integrations extend security use cases for customers.
HashiCorp at re:Invent 2024: Security Lifecycle Management with AWS
A recap of HashiCorp security news and developments on AWS from the past year, for your security management playbook.
HCP Vault Dedicated adds secrets sync, cross-region DR, EST PKI, and more
The newest HCP Vault Dedicated 1.18 upgrade includes a range of new features that include expanding DR region coverage, syncing secrets across providers, and adding PKI EST among other key features.