» Vault Enterprise HSM Support
HSM support is a feature of Vault Enterprise that takes advantage of HSMs to provide two pieces of special functionality:
- Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares
- Automatic Unsealing: Vault stores its encrypted master key in storage, allowing for automatic unsealing
HSM support is currently limited to devices that support PKCS#11 interfaces and provide integration libraries. It has successfully been tested with AWS' CloudHSM, as well as Thales, Utimaco, and SafeNet/Gemalto devices.
Some parts of Vault work differently when using an HSM. Please see the Behavioral Changes page for important information on these differences.
The Configuration page contains configuration information.
Finally, the Security page contains information about deploying Vault's HSM support in a secure fashion.