HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

Augment entropy with external sampling

Enterprise

Appropriate Vault Enterprise  license required

Warning

Entropy augmentation is not available with "FIPS 140-3 Inside" variants of Vault.

Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules via the seals interface. While the system entropy used by Vault is more than capable of operating in most threat models, there are some situations where additional entropy from hardware-based random number generators is desirable.

With Entropy Augmentation enabled, the following keys and tokens leverage the configured external entropy source.

OperationDescription
Root KeyAES key that is encrypted by the seal mechanism. This encrypts the key ring.
Key Ring Encryption KeysThe keys embedded in Vault's keyring which encrypt all of Vault's storage.
Recovery KeyWith auto-unseal, use the recovery keys to regenerate root token, key rotation, etc.
TLS Private KeysFor HA leader, Raft and Enterprise Replications.
MFA TOTP KeysThe keys used for TOTP in Vault Enterprise MFA
JWT Signing KeysThe keys used to sign wrapping token JWTs.
Root TokensSuperuser tokens granting access to all operations in Vault.
DR Operation TokensToken that allows certain actions to be performed on a DR secondary.

The transit secrets engine manages a number of different key types and leverages the keysutil package to generate keys. It will use the external entropy source for key generation.

Warning

When you enable the external entropy source, Vault requires connectivity to the HSM. If the HSM becomes unreachable for any reason, the transit secrets engine can't generate new keys or rotate existing keys.

To use this feature, you must have an active or trial license for Vault Enterprise. To start a trial, contact HashiCorp sales.

Critical security parameters (CSPs)

Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module. Designed to operate in environments where alignment with cryptographic regulations like NIST SP800-90B is required or when augmented entropy from external sources such as hardware true random number generators (TRNGs) or quantum computing TRNGs are desirable, augmented entropy replaces system entropy when performing random number operations on critical security parameters (CSPs).

These CSPs have been selected from our previous work in evaluating Vault for conformance with FIPS 140-2 guidelines for key storage and key transport and include (but not limited to) the following:

  • Vault's root key
  • Keyring encryption keys
  • Auto Unseal recovery keys
  • TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
  • Enterprise MFA TOTP token keys
  • JWT token wrapping keys
  • Root tokens
  • DR operation tokens
  • Transit backend key generation and /random endpoint (/random only on Vault 1.11+)
  • PKI issuer key generation, but not for leaf certificate private keys
  • /sys/tools/random endpoint (Vault 1.11+)
  • SSH CA key generation, but not for key pair generation
  • KMIP uses EA for its TLS CA, server, and client certificates.
  • TOTP two factor keys.

Enabling/Disabling

Entropy augmentation is disabled by default. To enable entropy augmentation Vault's configuration file must include a properly configured entropy and seal stanza for a supported seal type.

Edit this page on GitHub