hashicorp · brianshumate · Aug 4, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 6, 2025
@@ -0,0 +1,51 @@
+---
+layout: docs
+page_title: Secure cluster with TLS
+description: >-
+  Protect cluster communications and security posture with end-to-end TLS.
+---
+
+# Secure cluster with TLS
+
+When you secure your Vault cluster communications with TLS, you enhance the cluster's overall security posture. TLS also ensures that data transmitted between Vault nodes and clients remains confidential and tamper-proof.
+
+<ImageConfig hideBorder caption="Secure intra-cluster and inter-cluster communications with TLS">
+
+![Secure Vault intra-cluster and inter-cluster communications with TLS](/img/diagram-secure-vault-tls.png#light-theme-only)
+
+</ImageConfig>
+
+<ImageConfig hideBorder>
+
+![Secure intra-cluster and inter-cluster communications with TLS](/img/diagram-secure-vault-tls-dark.png#dark-theme-only)
+
+</ImageConfig>
+
+Securing your Vault cluster deployments with mutual TLS is a crucial step for protecting sensitive data, and preventing unauthorized access. Operating Vault with TLS enabled enhances compliance, governance, auditing capabilities, and incident response. 
+
+Enable TLS in your Vault clusters to gain:
+
+- **Improved data protection**: prevent unauthorized access or communication with the Vault cluster to ensure data availability based on your security policies. Sensitive data is also protected in transit to prevent interception or tampering.
+
+- **Strong identity verification**: Vault cluster nodes and clients verify identities from TLS certificates before communicating to enable trusted operations and prevent impersonation.
+
+- **Improved compliance and governance**: Implementing mutual TLS in your Vault clusters aligns your deployments with industry best practices and regulatory requirements like HIPAA, PCI-DSS, and others.
+
+- **Reduce risk of data leaks**: When you operate Vault clusters with mutual TLS enabled, you minimize the risk of data leaks and unauthorized access to sensitive information.
+
+- **Improved incident response**: Mutual TLS helps to limit the exposure or damage from unauthorized access to sensitive data stored in Vault, making incident response more straightforward.
+
+
+HashiCorp resources:
+
+- [Default TLS configuration](/vault/docs/configuration/listener/tcp#default-tls-configuration)
+
+
+- [Configure TLS for your Vault TCP listener](/vault/docs/configuration/listener/tcp/tcp-tls)
+
+
+- [Vault installation to minikube via Helm with TLS enabled](/vault/tutorials/kubernetes/kubernetes-minikube-tls)
+
+External resources:
+
+- [Enabling TLS on your Vault cluster on Kubernetes](https://medium.com/@martin.hodges/enabling-tls-on-your-vault-cluster-on-kubernetes-0d20439b13d0)
@@ -670,6 +670,10 @@
         "title": "Run as a service",
         "path": "deploy/run-as-service"
       },
+      {
+        "title": "Secure cluster with TLS",
+        "path": "deploy/secure-cluster-with-tls"
+      },
       {
         "title": "Run on AWS",
         "routes": [

@@ -0,0 +1,51 @@
+---
+layout: docs
+page_title: Secure cluster with TLS
+description: >-
+  Protect cluster communications and security posture with end-to-end TLS.
+---
+
+# Secure cluster with TLS
+
+When you secure your Vault cluster communications with TLS, you enhance the cluster's overall security posture. TLS also ensures that data transmitted between Vault nodes and clients remains confidential and tamper-proof.
+
+<ImageConfig hideBorder caption="Secure intra-cluster and inter-cluster communications with TLS">
+
+![Secure Vault intra-cluster and inter-cluster communications with TLS](/img/diagram-secure-vault-tls.png#light-theme-only)
+
+</ImageConfig>
+
+<ImageConfig hideBorder>
+
+![Secure intra-cluster and inter-cluster communications with TLS](/img/diagram-secure-vault-tls-dark.png#dark-theme-only)
+
+</ImageConfig>
+
+Securing your Vault cluster deployments with mutual TLS is a crucial step for protecting sensitive data, and preventing unauthorized access. Operating Vault with TLS enabled enhances compliance, governance, auditing capabilities, and incident response. 
+
+Enable TLS in your Vault clusters to gain:
+
+- **Improved data protection**: prevent unauthorized access or communication with the Vault cluster to ensure data availability based on your security policies. Sensitive data is also protected in transit to prevent interception or tampering.
+
+- **Strong identity verification**: Vault cluster nodes and clients verify identities from TLS certificates before communicating to enable trusted operations and prevent impersonation.
+
+- **Improved compliance and governance**: Implementing mutual TLS in your Vault clusters aligns your deployments with industry best practices and regulatory requirements like HIPAA, PCI-DSS, and others.
+
+- **Reduce risk of data leaks**: When you operate Vault clusters with mutual TLS enabled, you minimize the risk of data leaks and unauthorized access to sensitive information.
+
+- **Improved incident response**: Mutual TLS helps to limit the exposure or damage from unauthorized access to sensitive data stored in Vault, making incident response more straightforward.
+
+
+HashiCorp resources:
+
+- [Default TLS configuration](/vault/docs/configuration/listener/tcp#default-tls-configuration)
+
+
+- [Configure TLS for your Vault TCP listener](/vault/docs/configuration/listener/tcp/tcp-tls)
+
+
+- [Vault installation to minikube via Helm with TLS enabled](/vault/tutorials/kubernetes/kubernetes-minikube-tls)
+
+External resources:
+
+- [Enabling TLS on your Vault cluster on Kubernetes](https://medium.com/@martin.hodges/enabling-tls-on-your-vault-cluster-on-kubernetes-0d20439b13d0)
@@ -711,6 +711,10 @@
         "title": "Run as a service",
         "path": "deploy/run-as-service"
       },
+      {
+        "title": "Secure cluster with TLS",
+        "path": "deploy/secure-cluster-with-tls"
+      },
       {
         "title": "Run on AWS",
         "routes": [