HashiConf Last chance to register for our cloud conference October 10-12. Register today
Vault
Vault Home

Entropy augmentation

Enterprise

Vault Enterprise  license required

Warning

Entropy augmentation is not available with "FIPS 140-2 Inside" variants of Vault.

Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules via the seals interface. While the system entropy used by Vault is more than capable of operating in most threat models, there are some situations where additional entropy from hardware-based random number generators is desirable.

To use this feature, you must have an active or trial license for Vault Enterprise. To start a trial, contact HashiCorp sales.

Critical security parameters (CSPs)

Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module. Designed to operate in environments where alignment with cryptographic regulations like NIST SP800-90B is required or when augmented entropy from external sources such as hardware true random number generators (TRNGs) or quantum computing TRNGs are desirable, augmented entropy replaces system entropy when performing random number operations on critical security parameters (CSPs).

These CSPs have been selected from our previous work in evaluating Vault for conformance with FIPS 140-2 guidelines for key storage and key transport and include the following:

  • Vault’s root key
  • Keyring encryption keys
  • Auto Unseal recovery keys
  • TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
  • Enterprise MFA TOTP token keys
  • JWT token wrapping keys
  • Root tokens
  • DR operation tokens
  • Transit backend key generation and /random endpoint (/random only on Vault 1.11+)
  • PKI issuer key generation, but not for leaf certificate private keys
  • /sys/tools/random endpoint (Vault 1.11+)
  • SSH CA key generation, but not for key pair generation
  • KMIP uses EA for its TLS CA, server, and client certificates.

Enabling/Disabling

Entropy augmentation is disabled by default. To enable entropy augmentation Vault's configuration file must include a properly configured entropy and seal stanza for a supported seal type.

Tutorial

Refer to the HSM Integration - Entropy Augmentation tutorial to learn how to use the Entropy Augmentation function to leverage an external Hardware Security Module to augment system entropy.

Edit this page on GitHub