» Vault Enterprise HSM Support

HSM support is a feature of Vault Enterprise that takes advantage of HSMs to provide two pieces of special functionality:

  • Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares
  • Automatic Unsealing: Vault stores its encrypted master key in storage, allowing for automatic unsealing

HSM support is currently limited to devices that support PKCS#11 interfaces and provide integration libraries. It has successfully been tested with the following HSM platforms/vendors:

Please note however that configuration details, flags, and supported features within PKCS#11 vary depending on HSM model and configuration. Consult your HSM's documentation for more details.

Some parts of Vault work differently when using an HSM. Please see the Behavioral Changes page for important information on these differences.

The Configuration page contains configuration information.

Finally, the Security page contains information about deploying Vault's HSM support in a secure fashion.