Vault HSM support overview

• Root key Wrapping: Vault protects its root key by transiting it through the HSM for encryption rather than splitting into key shares
• Automatic Unsealing: Vault stores its HSM-wrapped root key in storage, allowing for automatic unsealing
• Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters
• Entropy Augmentation to allow Vault to sample entropy from an external cryptographic module.

HSM support is available for devices that support PKCS#11 version 2.20+ interfaces and provide integration libraries, and is currently available for linux/amd64 platforms only. It has successfully been tested against many different vendor HSMs; HSMs that provide only subsets of the full PKCS#11 specification can usually be supported but it depends on available cryptographic mechanisms.

Please note however that configuration details, flags, and supported features within PKCS#11 vary depending on HSM model and configuration. Consult your HSM's documentation for more details.

Some parts of Vault work differently when using an HSM. Please see the Behavioral Changes page for important information on these differences.

The Configuration page contains configuration information.

The Security page contains information about deploying Vault's HSM support in a secure fashion.

Finally, the HSM partners page contains information about HashiCorp partner products that have been verified to work with Vault for Auto Unsealing / HSM Support and External Key Management.