A new platform for documentation and tutorials is launching soon.

We are migrating Vault documentation into HashiCorp Developer, our new developer experience.

Join Now
Type '/' to Search

»Entropy Augmentation Seal

Entropy augmentation enables Vault to sample entropy from external cryptographic modules. Sourcing external entropy is done by configuring a supported Seal type which include: PKCS11 seal, AWS KMS, and Vault Transit. Vault Enterprises's external entropy support is activated by the presence of an entropy "seal" block in Vault's configuration file.

»Requirements

A valid Vault Enterprise license is required for Entropy Augmentation.

Warning This feature is not available with FIPS 140-2 Inside variants of Vault.

Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:

  • Vault Enterprise with the Plus package
  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library — ensure that it is installed for the correct architecture of your servers

»entropy Example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:

seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}

seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}

For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.

»entropy augmentation Parameters

These parameters apply to the entropy stanza in the Vault configuration file:

  • mode (string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported is augmentation which sources entropy for Critical Security Parameters (CSPs).