Entropy Augmentation Seal

Entropy augmentation enables Vault to sample entropy from an external cryptographic modules. Currently, sourcing external entropy is done through a configured PKCS11 seal. Vault Enterprises's external entropy support is activated by the presence of an entropy "seal" block in Vault's configuration file.


The following software packages are required for Vault Enterprise Entropy Augmentation:

  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library — ensure that it is installed for the correct architecture of your servers
  • Governance and Policy module of a Vault Enterprise license

entropy Example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:

seal "pkcs11" {

entropy "seal" {
    mode = "augmentation"

entropy augmentation Parameters

These parameters apply to the entropy stanza in the Vault configuration file:

  • mode (string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported is augmentation which sources entropy for Critical Security Parameters (CSPs).