Entropy augmentation seal
Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
Sourcing external entropy is done by configuring a supported Seal type which
include: PKCS11 seal, AWS KMS, and
Vault Transit.
Vault Enterprises's external entropy support is activated by the presence of an entropy "seal"
block in Vault's configuration file.
Note: If using the Seal High Availability Beta, entropy will be retrieved from seals in priority order, using bytes from the first available and online seal.
Requirements
A valid Vault Enterprise license is required for Entropy Augmentation.
Warning This feature is not available with FIPS 140-2 Inside variants of Vault.
Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:
- Vault Enterprise with the Plus package
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
- The GNU libltdl library ā ensure that it is installed for the correct architecture of your servers
entropy
example
This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:
seal "pkcs11" { ...}Ā entropy "seal" { mode = "augmentation"}
For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.
entropy augmentation
parameters
These parameters apply to the entropy
stanza in the Vault configuration file:
mode
(string: <required>)
: The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported isaugmentation
which sources entropy for Critical Security Parameters (CSPs).seal_name
(string: '')
: Specifies which seal (by name) in a Seal HA setup to use to source entropy. By default, Vault sources entropy from the first available seal moving from lowest to highest priority.