»Vault Enterprise HSM Support

  • Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares
  • Automatic Unsealing: Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing
  • Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters
  • Entropy Augmentation to allow Vault to sample entropy from an external cryptographic module.

HSM support is available for devices that support PKCS#11 version 2.20+ interfaces and provide integration libraries, and is currently available for linux/amd64 platforms only. It has successfully been tested against many different vendor HSMs; HSMs that provide only subsets of the full PKCS#11 specification can usually be supported but it depends on available cryptographic mechanisms.

Please note however that configuration details, flags, and supported features within PKCS#11 vary depending on HSM model and configuration. Consult your HSM's documentation for more details.

Some parts of Vault work differently when using an HSM. Please see the Behavioral Changes page for important information on these differences.

The Configuration page contains configuration information.

Finally, the Security page contains information about deploying Vault's HSM support in a secure fashion.