Vault Home

»Entropy Augmentation Seal

Entropy augmentation enables Vault to sample entropy from external cryptographic modules. Sourcing external entropy is done by configuring a supported Seal type which include: PKCS11 seal, AWS KMS, and Vault Transit. Vault Enterprises's external entropy support is activated by the presence of an entropy "seal" block in Vault's configuration file.

Requirements

A valid Vault Enterprise license is required for Entropy Augmentation.

Warning This feature is not available with FIPS 140-2 Inside variants of Vault.

Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:

  • Vault Enterprise with the Plus package
  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library — ensure that it is installed for the correct architecture of your servers

entropy Example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:

seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}

seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}

For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.

entropy augmentation Parameters

These parameters apply to the entropy stanza in the Vault configuration file:

  • mode (string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported is augmentation which sources entropy for Critical Security Parameters (CSPs).
Edit this page on GitHub