From bfd71e7ab549fb8e85a4c470d3f5deb02bf8e723 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Mon, 14 Oct 2024 14:54:22 -0700
Subject: [PATCH 1/3] update matrix doc and add IPv6 info
---
.../docs/configuration/listener/tcp/index.mdx | 2 +
.../content/docs/interoperability-matrix.mdx | 283 ++++++++++++------
.../partials/alerts/ipv6-compliance.mdx | 7 +
website/data/docs-nav-data.json | 2 +-
4 files changed, 199 insertions(+), 95 deletions(-)
create mode 100644 website/content/partials/alerts/ipv6-compliance.mdx
diff --git a/website/content/docs/configuration/listener/tcp/index.mdx b/website/content/docs/configuration/listener/tcp/index.mdx
index b059b374a588..aed9b722ac71 100644
--- a/website/content/docs/configuration/listener/tcp/index.mdx
+++ b/website/content/docs/configuration/listener/tcp/index.mdx
@@ -8,6 +8,8 @@ description: >-
# `tcp` listener
+@include 'alerts/ipv6-compliance.mdx'
+
The TCP listener configures Vault to listen on a TCP address/port.
```hcl
diff --git a/website/content/docs/interoperability-matrix.mdx b/website/content/docs/interoperability-matrix.mdx
index dc12a92f1293..0fb64bba5a81 100644
--- a/website/content/docs/interoperability-matrix.mdx
+++ b/website/content/docs/interoperability-matrix.mdx
@@ -1,102 +1,197 @@
---
layout: docs
-page_title: Vault Interoperability Matrix
-description: Guide to viewing which partners Vault integrates with.
+page_title: Vault interoperability matrix
+description: >-
+ Reference list of Vault integration partners
---
# Vault interoperability matrix
-Vault integrates with various appliances, platforms and applications for different use cases. Below are two tables indicating the partner’s product that has been verified to work with Vault for [Auto Unsealing](/vault/docs/concepts/seal#auto-unseal) / [HSM Support](/vault/docs/enterprise/hsm) and [External Key Management](https://www.vaultproject.io/use-cases/key-management).
-
-Auto Unseal and HSM Support was developed to aid in reducing the operational complexity of keeping the unseal key secure. This feature delegates the responsibility of securing the unseal key from users to a trusted device or service. At startup Vault will connect to the device or service implementing the seal and ask it to decrypt the root key Vault read from storage.
-
-Vault centrally manages and automates encryption keys across environments allowing customers to control their own encryption keys used in third party services or products.
-
-## Vault seal and HSM interoperability
-
-The below table shows the partner product and if the partner’s technology works with each individual seal component.
-
-| Partner | Product | Auto Unseal
(Vault 0.9+) | Entropy Augmentation
(Vault 1.3+) | Seal Wrap
(Vault 0.9+) | Managed Keys
(Vault 1.10+) | Min. Vault Version Verified |
-| ----------------- | -------------------------------------- | ------------ | -------------------- | ------------ |-------------- | --------------------------- |
-| AliCloud | AliCloud KMS | Yes | No | Yes | No | 0.11.2 |
-| Atos | Trustway Proteccio HSM | Yes | Yes | Yes | No | 1.9 |
-| AWS | AWS KMS | Yes | Yes | Yes | Yes | 0.9 |
-| Crypto4a | QxEDGE™️ HSP | Yes | Yes | Yes | Yes | 1.9 |
-| Entrust | nShield HSM | Yes | Yes | Yes | Yes | 1.3 |
-| Fortanix | FX2200 Series | Yes | Yes | Yes | No | 0.10 |
-| FutureX | Vectera Plus, KMES Series 3 | Yes | Yes | Yes | Yes | 1.5 |
-| FutureX | VirtuCrypt cloud HSM | Yes | Yes | Yes | Yes | 1.5 |
-| Google | GCP Cloud KMS | Yes | No | Yes | Yes | 0.9 |
-| Marvell | Cavium HSM | Yes | Yes | Yes | Yes | 1.11 |
-| Microsoft | Azure Key Vault | Yes | No | Yes | Yes | 0.10.2 |
-| Oracle | OCI KMS | Yes | No | Yes | No | 1.2.3 |
-| PrimeKey | SignServer Hardware Appliance | Yes | Yes | Yes | No | 1.6 |
-| Private Machines | ENFORCER Blade | Yes | No | Yes | No | 1.17.3 |
-| Qrypt | Quantum Entropy Service | No | Yes | No | No | 1.11 |
-| Quintessence Labs | TSF 400 | Yes | Yes | Yes | No | 1.4 |
-| Securosys SA | Primus HSM | Yes | Yes | Yes | Yes | 1.7 |
-| Thales | Luna HSM | Yes | Yes | Yes | Yes | 1.4 |
-| Thales | Luna TCT HSM | Yes | Yes | Yes | Yes | 1.4 |
-| Thales | CipherTrust Manager | Yes | Yes | Yes | No | 1.7 |
-| Utimaco | HSM | Yes | Yes | Yes | Yes | 1.4 |
-| Yubico | YubiHSM 2 | Yes | Yes | Yes | Yes | 1.17.2 |
-Last Updated May 03, 2023
-
-## Vault as an external key management system (EKMS)
-
-Partners who integrate with Vault to have Vault store and/or manage encryption keys with their products
-
-~> Note: HCP Vault Verified means that the integration has been verified to work with HCP Vault Dedicated. All integrations have been verified with Vault self-managed.
-
-
-Vault Secrets Engine Key: EKM Provider = Vault EKM provider for SQL server; KV = KV secrets engine; KMSE = Key Management Secrets Engine; KMIP = KMIP Secrets Engine; PKCS#11 = PKCS#11 Provider; Transit = Transit Secrets Engine
+To support a variety of use cases, Vault verifies protocol implementation and
+integrations with partner products, appliances, and applications that support
+advanced data protection features.
+
+
+
+ Join the [Vault integration program](/vault/docs/partnerships) to get your
+ integration verified and added or reach out to
+ [technologypartners@hashicorp.com](mailto:technologypartners@hashicorp.com)
+ with questions.
+
+
+
+## IPv6 validation and compliance
+
+[Vault Enterprise supports IPv6](https://www.hashicorp.com/trust/compliance/vault-enterprise)
+in compliance with OMB Mandate M-21-07 and Federal IPv6 policy requirements
+for the following operating systems and storage backends.
+
+**Self-attested testing covers functionality related to HSM, FIPS 140-2, and
+HSM/FIPS 140-2.**
+
+Operating system | OS version | Validation | Vault version
+---------------- | ------------------------------ | ------------ | -----------------------
+FreeBSD | N/A | N/A | Untested
+Linux | Amazon Linux (versions 2023) | Self-attested | ent-1.18+
+Linux | openSUSE Leap (version 15.6) | Self-attested | ent-1.18+
+Linux | RHEL (versions 8.10, 9.4) | Self-attested | ent-1.18+
+Linux | SUSE SLES (version 15.6) | Self-attested | ent-1.18+
+Linux | Ubuntu (versions 20.04, 24.04) | Self-attested | ent-1.18+
+MacOS | N/A | N/A | Untested
+NetBSD | N/A | N/A | Untested
+OpenBSD | N/A | N/A | Untested
+Windows | N/A | N/A | Untested
+
+
+ Last Updated:
+ October 14, 2024
+
+
+
+
+
+ IPv6 does not work with external plugins (plugins not built into Vault) when
+ running on Windows in server mode because they default to IPv4 and Vault
+ cannot override that behavior.
+
+
+
+Backend storage system | Validation | Vault version
+----------------------- | ------------- | -----------------------
+Consul | N/A | Untested
+Integrated Raft storage | Self-attested | ent-1.18+
+
+
+ Last Updated:
+ October 14, 2024
+
+
+
+## Auto unsealing and HSM support
+
+Hardware Security Module (HSM) support reduces the operational complexity of
+securing unseal keys by delegating the responsibility of securing unseal keys to
+trusted devices or services (instead of humans). At startup, Vault connects to
+the delegate device or service and provides an encrypted root key for
+decryption.
+
+Vault implements HSM support with the following features:
+
+Feature | Introduced
+-------------------------------------------------------------------- | ----------
+[Auto unsealing](/vault/docs/concepts/seal#auto-unseal) | Vault 0.9
+[Entropy augmentation](/vault/docs/enterprise/entropy-augmentation) | Vault 1.3
+[Seal wrapping](/vault/docs/enterprise/sealwrap) | Vault 0.9
+
+The following table outlines the implementation status of HSM-related features
+for partners products and the minimum Vault version required for verified
+functionality.
+
+| Partner | Product | Auto unseal | Entropy augment | Seal wrap | Managed keys | Vault verified
+| ----------------- | -------------------------------------- | ----------- | --------------- | --------- |------------- | -------------
+| AliCloud | AliCloud KMS | Yes | **No** | Yes | **No** | 0.11.2+
+| Atos | Trustway Proteccio HSM | Yes | Yes | Yes | **No** | 1.9+
+| AWS | AWS KMS | Yes | Yes | Yes | Yes | 0.9+
+| Crypto4a | QxEDGE&tm; HSP | Yes | Yes | Yes | Yes | 1.9+
+| Entrust | nShield HSM | Yes | Yes | Yes | Yes | 1.3+
+| Fortanix | FX2200 Series | Yes | Yes | Yes | **No** | 0.10+
+| FutureX | Vectera Plus, KMES Series 3 | Yes | Yes | Yes | Yes | 1.5+
+| FutureX | VirtuCrypt cloud HSM | Yes | Yes | Yes | Yes | 1.5+
+| Google | GCP Cloud KMS | Yes | **No** | Yes | Yes | 0.9+
+| Marvell | Cavium HSM | Yes | Yes | Yes | Yes | 1.11+
+| Microsoft | Azure Key Vault | Yes | **No** | Yes | Yes | 0.10.2+
+| Oracle | OCI KMS | Yes | **No** | Yes | **No** | 1.2.3+
+| PrimeKey | SignServer Hardware Appliance | Yes | Yes | Yes | **No** | 1.6+
+| Private Machines | ENFORCER Blade | Yes | **No** | Yes | **No** | 1.17.3+
+| Qrypt | Quantum Entropy Service | **No** | Yes | **No** | **No** | 1.11+
+| Quintessence Labs | TSF 400 | Yes | Yes | Yes | **No** | 1.4+
+| Securosys SA | Primus HSM | Yes | Yes | Yes | Yes | 1.7+
+| Thales | Luna HSM | Yes | Yes | Yes | Yes | 1.4+
+| Thales | Luna TCT HSM | Yes | Yes | Yes | Yes | 1.4+
+| Thales | CipherTrust Manager | Yes | Yes | Yes | **No** | 1.7+
+| Utimaco | HSM | Yes | Yes | Yes | Yes | 1.4+
+| Yubico | YubiHSM 2 | Yes | Yes | Yes | Yes | 1.17.2+
+
+
+ Last Updated:
+ May 03, 2023
+
-| Partner | Product | Vault Secrets Engine | Min. Vault Version Verified | HCP Vault Verified |
-| ----------------- | ------------------------ | -------------------- | --------------------------- | ------------------- |
-| AWS | AWS KMS | KMSE | 1.8 | Yes |
-| Baffle | Shield | KV | 1.3 | No |
-| Bloombase | StoreSafe | KMIP | 1.9 | N/A |
-| Cloudian | HyperStore 7.5.1 | KMIP | 1.12 | N/A |
-| Cockroach Labs | Cockroach Cloud DB | KMSE | 1.10 | N/A |
-| Cockroach Labs | Cockroach DB | Transit | 1.10 | Yes |
-| Cohesity | Cohesity DataPlatform | KMIP | 1.13.2 | N/A |
-| Commvault Systems | CommVault | KMIP | 1.9 | N/A |
-| Cribl | Cribl Stream | KV | 1.8 | Yes |
-| DataStax | DataStax Enterprise | KMIP | 1.11 | Yes |
-| Dell | PowerMax | KMIP | 1.12.1 | N/A |
-| Dell | PowerProtect DDOS 8.0.X | KMIP | 1.15.2 | N/A |
-| EnterpriseDB | Postgres Advanced Server | KMIP | 1.12.6 | N/A |
-| Garantir | GaraSign | Transit | 1.5 | Yes |
-| Google | Google KMS | KMSE | 1.9 | N/A |
-| HPE | Exmeral Data Fabric | KMIP | 1.2 | N/A |
-| Intel | Key Broker Service | KMIP | 1.11 | N/A |
-| JumpWire | JumpWire | KV | 1.12 | Yes |
-| Micro Focus | Connected Mx | Transit | 1.7 | No |
-| Microsoft | Azure Key Vault | KMSE | 1.6 | N/A |
-| Microsoft | MSSSQL | EKM Provider | 1.9 | No |
-| MinIO | Key Encryption Service | KV | 1.11 | No |
-| MongoDB | Atlas | KMSE | 1.6 | N/A |
-| MongoDB | MongoDB Enterprise | KMIP | 1.2 | N/A |
-| MongoDB | Client Libraries | KMIP | 1.9 | N/A |
-| NetApp | ONTAP | KMIP | 1.2 | N/A |
-| NetApp | StorageGrid | KMIP | 1.2 | N/A |
-| Nutanix | AHV/AOS 6.5.1.6 | KMIP | 1.12 | N/A |
-| Ondat | Trousseau | Transit | 1.9 | Yes |
-| Oracle | MySQL | KMIP | 1.2 | N/A |
-| Oracle | Oracle 19c | PKCS#11 | 1.11 | N/A |
-| Percona | Server 8.0 | KMIP | 1.9 | N/A |
-| Percona | XtraBackup 8.0 | KMIP | 1.9 | N/A |
-| Rubrik | CDM 9.1 (Edge) | KMIP | 1.16.2 | N/A |
-| Scality | Scality RING | KMIP | 1.12 | N/A |
-| Snowflake | Snowflake | KMSE | 1.6 | N/A |
-| Veeam | Karsten K10 | Transit | 1.9 | N/A |
-| Veritas | NetBackup | KMIP | 1.13.9 | N/A |
-| VMware | vSphere 7.0, 8.0 | KMIP | 1.2 | N/A |
-| VMware | vSan 7.0, 8.0 | KMIP | 1.2 | N/A |
-| Yugabyte | Yugabyte Platform | Transit | 1.9 | No |
-Last Updated August 25, 2023
-
-Please reach out to [technologypartners@hashicorp.com](mailto:technologypartners@hashicorp.com) if there are any questions on the above tables.
-
-Missing an integration? Join the [Vault Integration Program](/vault/docs/partnerships) and get the integration listed.
+
+## External key management (EKMS)
+
+Vault centrally manages and automates encryption keys across environments so
+customers can [manage external encryption keys](/vault/docs/secrets/key-management)
+used in third party services and products with the following plugins:
+
+Abbreviation | Full plugin name
+------------ | ----------------
+EKMMSSQL | [Vault EKM provider for SQL server](/vault/docs/platform/mssql)
+KV | [Key/Value secrets engine](/vault/docs/secrets/kv)
+KMSE | [Key Management secrets engine](/vault/docs/secrets/key-management)
+KMIP | [KMIP secrets engine](/vault/docs/secrets/kmip)
+PKCS#11 | [PKCS#11 provider](/vault/docs/enterprise/pkcs11-provider)
+Transit | [Transit secrets engine](/vault/docs/secrets/transit)
+
+
+
+ HCP Vault verified integrations work with the current version HCP Vault
+ Dedicated. Self-managed Vault instances must meet the required minimum version
+ for verification guarantees.
+
+
+
+The table below indicates the plugin support for partner products, the
+verification status for HCP Vault Dedicated and the minimum Vault version
+required for verified behavior in self-managed Vault instances:
+
+| Partner | Product | Vault plugin | Vault verified | HCP Vault verified
+| ----------------- | ------------------------ | ------------ | -------------- | ------------------
+| AWS | AWS KMS | KMSE | 1.8+ | Yes
+| Baffle | Shield | KV | 1.3+ | **No**
+| Bloombase | StoreSafe | KMIP | 1.9+ | N/A
+| Cloudian | HyperStore 7.5.1 | KMIP | 1.12+ | N/A
+| Cockroach Labs | Cockroach Cloud DB | KMSE | 1.10+ | N/A
+| Cockroach Labs | Cockroach DB | Transit | 1.10+ | Yes
+| Cohesity | Cohesity DataPlatform | KMIP | 1.13.2+ | N/A
+| Commvault Systems | CommVault | KMIP | 1.9+ | N/A
+| Cribl | Cribl Stream | KV | 1.8+ | Yes
+| DataStax | DataStax Enterprise | KMIP | 1.11+ | Yes
+| Dell | PowerMax | KMIP | 1.12.1+ | N/A
+| Dell | PowerProtect DDOS 8.0.X | KMIP | 1.15.2+ | N/A
+| EnterpriseDB | Postgres Advanced Server | KMIP | 1.12.6+ | N/A
+| Garantir | GaraSign | Transit | 1.5+ | Yes
+| Google | Google KMS | KMSE | 1.9+ | N/A
+| HPE | Exmeral Data Fabric | KMIP | 1.2+ | N/A
+| Intel | Key Broker Service | KMIP | 1.11+ | N/A
+| JumpWire | JumpWire | KV | 1.12+ | Yes
+| Micro Focus | Connected Mx | Transit | 1.7+ | **No**
+| Microsoft | Azure Key Vault | KMSE | 1.6+ | N/A
+| Microsoft | MSSSQL | EKMMSSQL | 1.9+ | **No**
+| MinIO | Key Encryption Service | KV | 1.11+ | **No**
+| MongoDB | Atlas | KMSE | 1.6+ | N/A
+| MongoDB | MongoDB Enterprise | KMIP | 1.2+ | N/A
+| MongoDB | Client Libraries | KMIP | 1.9+ | N/A
+| NetApp | ONTAP | KMIP | 1.2+ | N/A
+| NetApp | StorageGrid | KMIP | 1.2+ | N/A
+| Nutanix | AHV/AOS 6.5.1.6 | KMIP | 1.12+ | N/A
+| Ondat | Trousseau | Transit | 1.9+ | Yes
+| Oracle | MySQL | KMIP | 1.2+ | N/A
+| Oracle | Oracle 19c | PKCS#11 | 1.11+ | N/A
+| Percona | Server 8.0 | KMIP | 1.9+ | N/A
+| Percona | XtraBackup 8.0 | KMIP | 1.9+ | N/A
+| Rubrik | CDM 9.1 (Edge) | KMIP | 1.16.2+ | N/A
+| Scality | Scality RING | KMIP | 1.12+ | N/A
+| Snowflake | Snowflake | KMSE | 1.6+ | N/A
+| Veeam | Karsten K10 | Transit | 1.9+ | N/A
+| Veritas | NetBackup | KMIP | 1.13.9+ | N/A
+| VMware | vSphere 7.0, 8.0 | KMIP | 1.2+ | N/A
+| VMware | vSan 7.0, 8.0 | KMIP | 1.2+ | N/A
+| Yugabyte | Yugabyte Platform | Transit | 1.9+ | **No**
+
+
+ Last Updated:
+ August 25, 2023
+
+
diff --git a/website/content/partials/alerts/ipv6-compliance.mdx b/website/content/partials/alerts/ipv6-compliance.mdx
new file mode 100644
index 000000000000..3a62dc2fc46c
--- /dev/null
+++ b/website/content/partials/alerts/ipv6-compliance.mdx
@@ -0,0 +1,7 @@
+
+
+ Vault Enterprise is compliant with **OMB Mandate M-21-07** and
+ **Federal IPv6 policy requirements**
+ for [specific operating systems and storage backends](/vault/docs/interoperability-matrix#ipv6-validation-and-compliance).
+
+
\ No newline at end of file
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index aac132161a6d..f3077aeb554f 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -1996,7 +1996,7 @@
"path": "partnerships"
},
{
- "title": "Vault Interoperability Matrix",
+ "title": "Vault interoperability matrix",
"path": "interoperability-matrix"
},
{
From 339787cbe373e98cc851c0895fdc024d307d8c7a Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 15 Oct 2024 16:26:48 -0700
Subject: [PATCH 2/3] Update website/content/docs/interoperability-matrix.mdx
Co-authored-by: Ryan Cragun
---
website/content/docs/interoperability-matrix.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/website/content/docs/interoperability-matrix.mdx b/website/content/docs/interoperability-matrix.mdx
index 0fb64bba5a81..4d93ae41cdb5 100644
--- a/website/content/docs/interoperability-matrix.mdx
+++ b/website/content/docs/interoperability-matrix.mdx
@@ -23,7 +23,7 @@ advanced data protection features.
## IPv6 validation and compliance
[Vault Enterprise supports IPv6](https://www.hashicorp.com/trust/compliance/vault-enterprise)
-in compliance with OMB Mandate M-21-07 and Federal IPv6 policy requirements
+in compliance with OMB Mandate M-21-07 and Federal IPv6 policy requirements
for the following operating systems and storage backends.
**Self-attested testing covers functionality related to HSM, FIPS 140-2, and
From caa957328e254410fa55fd4976c48efcc5775686 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 15 Oct 2024 16:26:55 -0700
Subject: [PATCH 3/3] Update website/content/docs/interoperability-matrix.mdx
Co-authored-by: Ryan Cragun
---
website/content/docs/interoperability-matrix.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/website/content/docs/interoperability-matrix.mdx b/website/content/docs/interoperability-matrix.mdx
index 4d93ae41cdb5..c2fcc194add2 100644
--- a/website/content/docs/interoperability-matrix.mdx
+++ b/website/content/docs/interoperability-matrix.mdx
@@ -26,7 +26,7 @@ advanced data protection features.
in compliance with OMB Mandate M-21-07 and Federal IPv6 policy requirements
for the following operating systems and storage backends.
-**Self-attested testing covers functionality related to HSM, FIPS 140-2, and
+**Self-attested testing covers functionality related to HSM, FIPS 140-2, and
HSM/FIPS 140-2.**
Operating system | OS version | Validation | Vault version