• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main contentOverview
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot






  • Glossary

    • Overview
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Automated Upgrades
    • Redundancy Zones
    • Lease Count Quotas
    • Entropy Augmentation
    • Seal Wrap
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
    • HCP Vault

  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Vault Enterprise
  5. HSM Support
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

»Vault Enterprise HSM Support

Note: This feature requires Vault Enterprise Plus.

  • Root key Wrapping: Vault protects its root key by transiting it through the HSM for encryption rather than splitting into key shares
  • Automatic Unsealing: Vault stores its HSM-wrapped root key in storage, allowing for automatic unsealing
  • Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters
  • Entropy Augmentation to allow Vault to sample entropy from an external cryptographic module.

HSM support is available for devices that support PKCS#11 version 2.20+ interfaces and provide integration libraries, and is currently available for linux/amd64 platforms only. It has successfully been tested against many different vendor HSMs; HSMs that provide only subsets of the full PKCS#11 specification can usually be supported but it depends on available cryptographic mechanisms.

Please note however that configuration details, flags, and supported features within PKCS#11 vary depending on HSM model and configuration. Consult your HSM's documentation for more details.

Some parts of Vault work differently when using an HSM. Please see the Behavioral Changes page for important information on these differences.

The Configuration page contains configuration information.

Finally, the Security page contains information about deploying Vault's HSM support in a secure fashion.

Edit this page on GitHub
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)