We’re comparing the Vault editions to see whats viable for our use-cases. Currently, we use Ubuntu 22 servers that are FIPS enabled.
I noticed from the Vault docs, Community edition does not support FIPS. What I’m wondering is if that matters since the OS itself is FIPS enabled. With my little knowledge of FIPS, I believe it’s just limited which encryption algorithms are used for data in transit. Or is it more then that? Would anyone be able to provide insight into what we’d losing in the context of FIPS in this situation?
Hello,
If someone with more FIPS experience has a better answer, would love to update my brain cells 
As far as I know, and its been a minute or two since I had to dive deep into FIPS, the context is whether the data you are storing, or the use case you have for Vault need to be FIPS compliant.
If you are using Vault to store secrets, or grant access to systems that does not fall within the security boundary for your FIPS environment, you might be okay. Honestly my experience with auditors is you could still get dinged on an audit - probably best to check with your auditor/auditing company here. Might also make attestation tricky to show nothing in Vault is part of the FIPS environment (secrets, data in transit encryption).
If your use case for Vault includes storing data, or encrypting data that falls under the scope needed for your org, then you would not be compliant because Vault uses its own cryptographic barrier/functions. You would need Vault Enterprise to get FIPS.
Generally, if I need to be complaint for something, I try to make everything complaint but that doesnt always work.
1 Like