• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Integrations
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main content
  • Documentation
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault
    • Overview
    • replication
    • sentinel
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation
      ENTENT
    • kms_library
      ENTENT

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot






  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Configuration
  5. Entropy Augmentation
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

ยปEntropy Augmentation Seal

Entropy augmentation enables Vault to sample entropy from external cryptographic modules. Sourcing external entropy is done by configuring a supported Seal type which include: PKCS11 seal, AWS KMS, and Vault Transit. Vault Enterprises's external entropy support is activated by the presence of an entropy "seal" block in Vault's configuration file.

Requirements

A valid Vault Enterprise license is required for Entropy Augmentation.

Warning This feature is not available with FIPS 140-2 Inside variants of Vault.

Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:

  • Vault Enterprise with the Plus package
  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library โ€” ensure that it is installed for the correct architecture of your servers

entropy Example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:

seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}

For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.

entropy augmentation Parameters

These parameters apply to the entropy stanza in the Vault configuration file:

  • mode (string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported is augmentation which sources entropy for Critical Security Parameters (CSPs).
Edit this page on GitHub

On this page

  1. Entropy Augmentation Seal
  2. Requirements
  3. entropy Example
  4. entropy augmentation Parameters
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)