» Entropy Augmentation Seal

Entropy augmentation enables Vault to sample entropy from an external cryptographic modules. Currently, sourcing external entropy is done through a configured PKCS11 seal. Vault Enterprises's external entropy support is activated by the presence of an entropy "seal" block in Vault's configuration file.

» Requirements

The following software packages are required for Vault Enterprise Entropy Augmentation:

  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library — ensure that it is installed for the correct architecture of your servers
  • Governance and Policy module of a Vault Enterprise license

» entropy Example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:

seal "pkcs11" {

entropy "seal" {
    mode = "augmentation"

» entropy augmentation Parameters

These parameters apply to the entropy stanza in the Vault configuration file:

  • mode (string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported is augmentation which sources entropy for Critical Security Parameters (CSPs).