Vault Radar FAQ
This FAQ contains frequently asked questions about HCP Vault Radar.
- Q: Why does Vault Radar use HMAC + Argon?
- Q: If both the database and the HMAC key are leaked, someone could launch a brute-force attack on the database?
- Q: How do we calculate severity?
- Q: What are the explicit exclusions made by Vault Radar Secret Engine?
- Q: What IPs should be allowlisted for Vault Radar SaaS to scan data sources inside a user's network directly from HCP?
- Q: What firewall allowlisting is required for Vault Radar CLI and Agent to authenticate with HCP?
Q: Why does Vault Radar use HMAC + Argon?
Argon2id is a strong and secure hashing algorithm providing memory-hardness, parallelism-safety, and adjustable parameters. It has undergone years of cryptographic testing and analysis, and is resistant to brute-force attacks due to the increased compute cost to crack.
To increase security, Vault Radar also uses “peppering” on top of Argon2id hash.
Q: If both the database and the HMAC key are leaked, someone could launch a brute-force attack on the database?
One of Argon2id's main features is resistance against brute force attacks. It is very expensive in both memory and CPU to attempt these types of attacks.
Q: How do we calculate severity?
The severity can be overridden by event rules for specific patterns, but this applies only to HCP scans and not CLI offline scans.
Severity | Definitions |
---|---|
Critical |
|
High |
|
Medium | If none of the other conditions are met, the severity is set to medium by default. |
Low |
|
Info |
|
Q: What are the rules to assign secret_in_test_file tag?
- the file or (sub)directory name of the file where the risk is located contains "test".
- the (sub)directory name of the file where the risk is located starts with "mocks".
- the (sub)directory name of the file where the risk is located is "qa".
Q: What are the explicit exclusions made by Radar Secret Engine?
- Keys and IDs containing EXAMPLE or TEST are not reported at all.
- README files are marked as not important.
- Test files are marked as not important.
Q: What IPs should be allowlisted for Vault Radar SaaS to scan data sources inside a user's network directly from HCP?
Users will need to allow inbound access from the following IP addresses in order for Vault Radar HCP to communicate with data sources within a secure network.
# Vault Radar Primary
3.213.172.245
44.215.93.123
34.226.175.235
# Vault Radar Failover
34.208.33.38
44.227.97.170
44.238.204.12
Note
There may be changes to these IP’s in the future, HashiCorp (Vault-Radar) will do its best to give customers a reasonable amount of time to make the necessary changes.
Q: What firewall allowlisting is required for Vault Radar CLI and Agent to authenticate with HCP?
If outbound traffic is restricted from within a user's network, then following fully qualified domain names (FQDNs) should be allowed in order for the Vault Radar Agent and/or CLI to communicate with HCP.
api.cloud.hashicorp.com
auth.idp.hashicorp.com
Note
HashiCorp HCP does not have a predefined set of static IP’s for ingress traffic to its servers at this time.