Vault
Entropy Augmentation Seal
Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
Sourcing external entropy is done by configuring a supported Seal type which
include: PKCS11 seal, AWS KMS, and
Vault Transit.
Vault Enterprises's external entropy support is activated by the presence of an entropy "seal"
block in Vault's configuration file.
Requirements
A valid Vault Enterprise license is required for Entropy Augmentation
Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:
- Governance and Policy module
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
- The GNU libltdl library — ensure that it is installed for the correct architecture of your servers
entropy
Example
This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:
seal "pkcs11" {
...
}
entropy "seal" {
mode = "augmentation"
}
For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.
entropy augmentation
Parameters
These parameters apply to the entropy
stanza in the Vault configuration file:
mode
(string: <required>)
: The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported isaugmentation
which sources entropy for Critical Security Parameters (CSPs).