»Entropy Augmentation Seal

Entropy augmentation enables Vault to sample entropy from external cryptographic modules. Sourcing external entropy is done by configuring a supported Seal type which include: PKCS11 seal, AWS KMS, and Vault Transit. Vault Enterprises's external entropy support is activated by the presence of an entropy "seal" block in Vault's configuration file.


A valid Vault Enterprise license is required for Entropy Augmentation

Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:

  • Governance and Policy module
  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library — ensure that it is installed for the correct architecture of your servers

»entropy Example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:

seal "pkcs11" {

entropy "seal" {
    mode = "augmentation"
seal "pkcs11" {    ...}
entropy "seal" {    mode = "augmentation"}

For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.

»entropy augmentation Parameters

These parameters apply to the entropy stanza in the Vault configuration file:

  • mode (string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported is augmentation which sources entropy for Critical Security Parameters (CSPs).