The Vault website is being redesigned to help you find what you are looking for more effectively.
»Entropy Augmentation
Seal
Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
Sourcing external entropy is done by configuring a supported Seal type which
include: PKCS11 seal, AWS KMS, and
Vault Transit.
Vault Enterprises's external entropy support is activated by the presence of an entropy "seal"
block in Vault's configuration file.
»Requirements
A valid Vault Enterprise license is required for Entropy Augmentation.
Warning This feature is not available with FIPS 140-2 Inside variants of Vault.
Additionally, the following software packages and enterprise modules are required for sourcing entropy via the PKCS11 seal:
- Vault Enterprise with the Plus package
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
- The GNU libltdl library — ensure that it is installed for the correct architecture of your servers
»entropy
Example
This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:
For a more detailed tutorial, visit the HSM Entropy Challenge on HashiCorp's Learn website.
»entropy augmentation
Parameters
These parameters apply to the entropy
stanza in the Vault configuration file:
mode
(string: <required>)
: The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported isaugmentation
which sources entropy for Critical Security Parameters (CSPs).