Vault Radar FAQ
This FAQ contains frequently asked questions about HCP Vault Radar.
- Q: Why does Vault Radar use HMAC + Argon?
- Q: If both the database and the HMAC key are leaked, someone could launch a brute-force attack on the database?
- Q: How do we calculate severity?
- Q: What are the explicit exclusions made by Vault Radar Secret Engine?
- Q: Can you share a script to list all my Confluence spaces?
- Q: What IPs should be allowlisted for Vault Radar SaaS to scan data sources inside a user's network directly from HCP?
- Q: What firewall allowlisting is required for Vault Radar CLI and Agent to authenticate with HCP?
Q: Why does Vault Radar use HMAC + Argon?
Argon2id is a strong and secure hashing algorithm providing memory-hardness, parallelism-safety, and adjustable parameters. It has undergone years of cryptographic testing and analysis, and is resistant to brute-force attacks due to the increased compute cost to crack.
To increase security, Vault Radar also uses “peppering” on top of Argon2id hash.
Q: If both the database and the HMAC key are leaked, someone could launch a brute-force attack on the database?
One of Argon2id's main features is resistance against brute force attacks. It is very expensive in both memory and CPU to attempt these types of attacks.
Q: How do we calculate severity?
The severity can be overridden by event rules for specific patterns, but this applies only to HCP scans and not CLI offline scans.
Severity | Definitions |
---|---|
Critical |
|
High |
|
Medium | If none of the other conditions are met, the severity is set to medium by default. |
Low |
|
Info |
|
Q: What are the explicit exclusions made by Radar Secret Engine?
- Keys and IDs containing EXAMPLE are not reported at all.
- README files are marked as not important.
- Files named Test are marked as not important.
Q: Can you share a script to list all my Confluence spaces?
#!/bin/bash # Set Confluence credentialsUSERNAME="your_username"API_TOKEN="your_api_token"CONFLUENCE_URL="https://your-confluence-site.com/wiki" # Make API request to get all spacescurl -u "$USERNAME:$API_TOKEN" -X GET "$CONFLUENCE_URL/rest/api/space" | jq '.results[].key'All scripts are available at: https://drive.google.com/drive/u/0/folders/17HVZVYZnm-2HYHenRwq0IxgCHK_7pCQV.
Q: What IPs should be allowlisted for Vault Radar SaaS to scan data sources inside a user's network directly from HCP?
Users will need to allow inbound access from the following IP addresses in order for Vault Radar HCP to communicate with data sources within a secure network.
# Vault Radar Primary3.213.172.24544.215.93.12334.226.175.235# Vault Radar Failover34.208.33.3844.227.97.17044.238.204.12
Note
There may be changes to these IP’s in the future, HashiCorp (Vault-Radar) will do its best to give customers a reasonable amount of time to make the necessary changes.
Q: What firewall allowlisting is required for Vault Radar CLI and Agent to authenticate with HCP?
If outbound traffic is restricted from within a user's network, then following fully qualified domain names (FQDNs) should be allowed in order for the Vault Radar Agent and/or CLI to communicate with HCP.
api.cloud.hashicorp.comauth.idp.hashicorp.com
Note
HashiCorp HCP does not have a predefined set of static IP’s for ingress traffic to its servers at this time.