| Developers: | Flant |
| Last Release Date: | 2025/07/08 |
| Technology: | Information Security - Authentication |
Content |
2026
Integration with Postgres Pro Enterprise
On March 12, 2026, Postgres Professional announced the successful completion of integration tests of the Postgres Pro Enterprise database management system and the Deckhouse Stronghold solution, a secure secret lifecycle management module part of the Flant Deckhouse Kubernetes Platform. The joint solution provides secure key storage for Transparent Data Encoding (TDE) and enhances the ability to build a secure storage infrastructure.
The Postgres Pro Enterprise DBMS, starting with the 17th version, supports the Transparent Data Encoding (or TDE) mechanism, which allows you to anonymize confidential or personal information in selected table spaces and in the pre-record log. When TDE is activated, data is encoded when written to disk or to a backup system and decoded when read. The advantage of this mechanism is that it does not require any changes in the application or on clients.
PostgresPro Enterprise can use an external key management system (KMS) to protect the conversion keys used.
Their Deckhouse Kubernetes Platform includes several editions of the Deckhouse Stronghold Secure Secret Lifecycle Management module, which provides an interface to the, Russian working on Russian OS and at the same time fully compatible API with HashiCorp Vault. The joint solution provides additional key protection, standardization of working with secrets in the organization, the ability to use only, domestic software including certified editions. FSTEC RUSSIAN FEDERATION
Protection conversion keys of table spaces and WAL are located in a special file in the DBMS directory. This key store is protected and converted with a master key that is generated and stored in Deckhouse Stronghold. When successful authentication in KMS through the Stronghold agent and receiving a token, the PostgresPro DBMS calls the command to decode the key file, and when creating new keys, the command to encode them. Keys in clear form are placed in the DBMS memory and are used to work with data in the allocated table spaces and in the pre-record log.
The bundle of DBMS and Stronghold agent ensures the separation of access to keys and reduces risks when compromising individual components.
The master key never leaves Stronghold. The system performs only encryption and decryption operations (transit/encrypt, transit/decrypt). The original key value is not transmitted to either the DBMS or the agent.
Postgres Pro does not keep long-lived secrets. The process only has access to a short-lived token (valid for 1-4 hours), which is automatically updated by the agent.
The token access policy is limited. It only allows operations with the TDE master key and does not provide access to other Stronghold secrets or administrative functions.
Theft or copying of a DBMS disk - data in protected table spaces is stored in encoded form. The key store is also encrypted with a master key, and it is impossible to decode data without access to Stronghold.
Leaking a key file - stealing only the key store is useless: decryption requires a master key that is stored exclusively in Stronghold.
Compromise of the PostgresPro server - an attacker receives a short-lived token and encoded data. After the token expires, you cannot get a new one; in addition, to decode data, you need a working connection with Stronghold.
Token compromise - When a token leaks, an attacker can only call encrypt/decrypt for one key in a limited time, without access to other secrets and without extracting the master key itself.
The integration of Postgres Pro Enterprise and Deckhouse Stronghold provides flexibility in choosing information security mechanisms, standardizes the processes of managing secrets in organizations and allows them to organize information protection using domestic software.
Certification of FSTEC of Russia
The Deckhouse Stronghold secrecy management solution from Flant received a certificate of conformity certificate of the FSTEC of Russia No. 5038 dated February 10, 2026. The document confirms that the product edition - Deckhouse Stronghold Certified Security Edition - meets the requirements of the technical specifications and order of the FSTEC of Russia No. 76 of June 2, 2020 on the 4th level of trust. The developer announced this on February 24, 2026.
The certified edition of Deckhouse Stronghold will be able to implement organizations for which the use of products certified by the FSTEC of Russia is mandatory. We are talking about state-owned companies and state corporations, banks, federal and regional executive bodies, as well as organizations working with critical information infrastructure facilities.
Deckhouse Stronghold Certified Security Edition implements HashiCorp Vault Enterprise-level functionality, including inter-cluster replication, data namespaces, automatic backup scheduled data, built-in secure automatic storage printing without external services or KMS, support for external hardware security modules and dual enciphering data. Among other things, the Russian cryptographic algorithms Grasshopper and Magma are supported in accordance with GOST R 34.12-2018.
 | We set ourselves the task of creating not just a certified solution, but a full-fledged enterprise-repository of secrets, which can be used in real production environments with increased information security requirements. Deckhouse Stronghold Certified Security Edition was originally developed in accordance with the requirements of the secure development of software according to GOST R 56939-2024. Certification of the FSTEC of Russia confirms that the product fully complies with the requirements of the regulator and offers customers the functionality of the HashiCorp Vault Enterprise level, "said Vladimir Devyataykin, Deckhouse Stronghold product manager at Flant. |  |
The certified edition of Deckhouse Stronghold allows you to use the product for information protection significant critical infrastructure facilities up to and including the 1st category of significance, ensuring security personal data in information systems up to and including the 1st level of security, protection information in state information systems up to and including the 1st class of security, as well as information protection in automated production and process control systems at critical and potentially hazardous facilities.
In the future, it is planned to actively develop the Certified Security Edition, including expanding the functionality of performance replication, as well as assessing the impact of the operating environment on the cryptographic information protection tool as part of embedding CIPF in Deckhouse Stronghold.
Support for Rutoken EDS 3.0
The Deckhouse Stronghold solution has support for the Rutoken EDS 3.0 line of hardware cryptographic key media from the Aktiv Company. Integration provides new capabilities for protecting corporate secrets and improves storage security. This was announced by "Asset" on February 19, 2026.
Deckhouse Stronghold's secret manager protects passwords, API keys, certificates, SSH keys, leak tokens, and provides secure storage and delivery of secrets to applications.
With Rutoken EDS 3.0 devices, Deckhouse Stronghold can implement several scenarios for additional secret protection. In the first scenario, in addition to the basic to enciphering algorithm AES that Deckhouse Stronghold performs, Rutoken EDS 3.0 devices are used as the second data encryption layer. Thus, the solution provides double enciphering secrets using the Sealwrap method with the ability to use two combinations of encryption algorithms: AES + RSA and AES + GOST. This approach significantly increases resistance to compromise: in case of AES key leakage data , they remain protected by encryption using hardware key media, and in case of compromise - PIN code by AES encryption.
In addition, Rutoken EDS 3.0 allows you to encrypt and decrypt the master key with which Deckhouse Stronghold encrypts data. Usually, you have to store the master key separately, for example, in a special key management service (KMS). Now it can simply be stored in the Deckhouse Stronghold storage itself, having previously encrypted using Rutoken. Without hardware media, no one will read the master key, even if you have access to the storage.
Active key media Rutoken EDS 3.0 is a line of USB tokens and next-generation smart cards for two-factor authentication on desktop and mobile devices, signing documents with an electronic signature and protecting information. Support for domestic (including Grasshopper and Magma) and international encryption algorithms allows you to use Rutoken EDS 3.0 models in information systems with high security requirements. The devices are certified according to the requirements of the FSB of Russia and the FSTEC of Russia.
| | The Rutoken Rutoken EDS 3.0 line has already established itself as a reliable tool for two-factor authentication and electronic signature. Integration with Deckhouse Stronghold allows devices to be used for hardware encryption of corporate secrets at the containerization platform level. This is especially important in the context of import substitution and the transition to domestic solutions, said Ksenia Shavrova, Head of Technology Partners, Aktiv Company.
| |
| | The integration of Deckhouse Stronghold with Rutoken EDS 3.0 takes secret storage security to the next level. Now organizations can use advanced double encryption using both international and Russian cryptographic algorithms. The latter is especially important for data protection in CII, GIS and ISDS, noted Vladimir Devyataykin, product manager at Deckhouse Stronghold.
| |
2025
Compatible with RuBackup version 2.7 and higher
The companies RuBackup"" and Flant"" (developer Deckhouse Stronghold) on November 21, 2025 announced the technological compatibility of their solutions. Starting with version 2.7, the backup system and recovery data RuBackup can automatically receive accounts data to connect to protected systems from the centralized Deckhouse Stronghold secret store. More here.
Multifactor Compatibility
On July 24, 2025, MULTIFACTOR and Flant announced the completion of all stages of compatibility testing of their solutions - the MULTIFACTOR two-factor authentication system and Deckhouse Stronghold. The tests confirmed the reliability and correctness of the products.
As part of the technological integration, a compatibility certificate has been issued.
For MULTIFACTOR users, the ability to integrate with Deckhouse Stronghold expands the list of protected resources by adding a domestic secret store to the list of supported solutions. In turn, Deckhouse Stronghold supports MULTIFACTOR connectivity as an additional two-factor authentication module. This allows customers to strengthen the security of existing processes without having to replace the current infrastructure.
| | The compatibility of the two-factor authentication system MULTIFACTOR and Deckhouse Stronghold helps to improve data protection, ensures compliance with cybersecurity laws and creates a reliable working environment for any IT solutions, - said Roman Bashkatov, Commercial Director of MULTIFACTOR. | |
| | Deckhouse Stronghold's integration with MULTIFACTOR complements existing security mechanisms and creates an additional barrier to protecting critical secret operations. In addition, this gives our customers even more flexibility in building complex information security systems due to the support of the two-factor authentication system located in the register of Russian software, - said Konstantin Aksenov, Director of the Deckhouse Development Department of Flant. | |
Deckhouse Stronghold Community Edition for Secret Management
Flant has released the Deckhouse Stronghold Community Edition, a free version of the secure corporate secret management solution. This is a full-fledged Russian alternative to HashiCorp Vault Community Edition. The company announced this on July 8, 2025.
Deckhouse Stronghold Community Edition provides basic features for secure secret lifecycle management available in HashiCorp Vault Community Edition: Storage, Creation, Delivery, Recall, and Rotation. Popular authentication methods are supported (JWT, OIDC, Kubernetes, LDAP, Token) and Secret Engines (KV, Kubernetes, Database, SSH, PKI, etc.). The solution works with Russian operating systems (Red OS, ROSA Server, ALT Linux, Astra Linux Special Edition) and can be deployed in closed loops, integrates with Infrastructure as Code tools such as Ansible and Terraform, which makes it easy to implement it into existing DevOps processes. A convenient web interface is also available.
Enterprise-level functionality such as role management (AppRole, OIDC/JWT Role) via the web interface, namespace support, data replication, automatic API backups, and audit-logging remain available only in commercial product editions. This approach enables organizations to get started with basic functionality and scale the solution as needs grow.
| | With the release of Deckhouse Stronghold Community Edition, we offer the engineering community an affordable and state-of-the-art solution for secure secret management. This is a full-fledged tool developed in Russia that fully meets the requirements for domestic software and is already included in the register of the Ministry of Ministry of Digital Development. We give engineers a convenient tool and pave the way for feedback, joint development of functionality, as well as honest product support from the Deckhouse team, "said Vladimir Devyataykin, product manager at Deckhouse Stronghold. | |
Deckhouse Stronghold Community Edition is available exclusively as part of Deckhouse Kubernetes Platform in both free and commercial editions. In the future, the vendor plans to develop the functionality of Deckhouse Stronghold Community Edition, as well as open the source code of the product.
HashiCorp Vault Enterprise Feature Set
Deckhouse's Deckhouse solution Flant to securely manage Deckhouse Stronghold's corporate secrets - now offers the full range of HashiCorp Vault Enterprise-level features you need. The product provides the ability to create namespaces, automatic backup on schedule and replication. data Flant announced this on May 26, 2025.
After HashiCorp left the Russian market, many organizations faced a choice: use the limited functionality of the community version of Vault or look for a full-fledged replacement. Most domestic solutions still do not go beyond the basic capabilities, while Deckhouse Stronghold in 2025 implemented the key functionality available in HashiCorp Vault Enterprise.
Namespaces have appeared in the product with support for nesting and hierarchies, fully compatible with Vault Enterprise in API terms of access control logic. Added scheduled automation backup data with the ability to save files to and S3-compatible storage. KV1/KV2 storage replication has been implemented on the master-slave architecture, which is critical for reliable operation in geodistributed environments.
For customers, the compliance of Deckhouse Stronghold and Vault Enterprise with a set of required features means that the solution is ready for full use in critical and highly regulated IT environments. The product allows you to centralize secret management and simplify administration even in a large infrastructure, ensuring stability and control over critical processes. Due to compatibility with the Vault Enterprise API, companies can switch to a domestic solution without significant time and resources, while maintaining the usual access and security processes. This reduces risks and makes the transition from foreign software as smooth as possible.
| | We strive for Deckhouse Stronghold to become a full and reliable replacement for Vault Enterprise in Russian realities. And we can confidently say: we have achieved this goal. The product fully implements the required functionality and develops with a focus on the requirements of the local market. This is a solution for those who are not ready for compromises in security, control and flexibility, "said Maxim Kiselev, head of development at Deckhouse Stronghold. | |
In 2025, the company plans to complete the certification procedure for Deckhouse Stronghold for compliance with the requirements of technical specifications and order of the FSTEC of Russia dated June 2, 2020 No. 76 on level 4 of trust. This allows you to use the solution in loops with increased security requirements. In addition, the product has already become part of the new version of Deckhouse Kubernetes Platform certified by the FSTEC of Russia as a functional module that implements the basic functions of the secret store. Also in development is support for cryptographic algorithms GOST 34.12-2018 and the implementation of replicas for performance and disaster recovery.
2024: Inclusion in the register of Russian software
The Deckhouse Stronghold secure storage and secret management solution from Flant is included in the register of Russian software. The developer announced this on May 15, 2024. The product is assembled, supplied and fully works on Russian operational systems. It is fully compatible with the Vault API from HashiCorp and has an interface in Russian.
Deckhouse Stronghold can be used in all environments, clouds and closed circuits with increased security requirements. The solution allows you to separate access rights for managing storage and obtaining application secrets - which minimizes data leakage risks and provides maximum access control.
The solution is part of the Deckhouse ecosystem and is deeply integrated with all of its products. In addition, Stronghold is compatible with a large range of existing solutions on the market, including for secure delivery of secrets to databases, CI/CDs and for authentication from external identification sources (for example, AD, OIDC, LDAP, SAML).
| | The inclusion of Deckhouse Stronghold in the register is a natural event for us. The solution is based on a mature product that has existed since 2015. The Stronghold code is stored and developed in Russia, and is also constantly tested for vulnerabilities. All documentation and interface are written in Russian, which makes working with the product more convenient and easier. Technical support from experts is also provided, "said Konstantin Aksyonov, director of the Deckhouse development department at Flant. - We continue to actively work on the technological development of the product. In the process of implementation - isolated environments and multi-tenancy, which will allow you to divide the storage of secrets between individual departments or teams. | |
At the end of 2024 algorithm enciphering , GOST will be implemented at Deckhouse Stronghold. Also in the first quarter of 2025, the solution developer will begin implementing support for HSM (Hardware Security Modules) - hardware and software cryptographic modules for systems with increased security requirements.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |