---
layout: docs
page_title: seal - Configuration
description: >-
  Configure the seal stanza to customize the sealing behavior for Vault.
---

# `seal` stanza

The `seal` stanza configures the seal type to use for additional data
protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
root key. This stanza is optional, and in the case of the root key, Vault
will use the Shamir algorithm to cryptographically split the root key if this
is not configured.

## Seal wrapping <EnterpriseAlert inline="true" product="vault" />

The seal can also be used for seal wrapping to add an extra layer of protection
and satisfy compliance and regulatory requirements.

Seal wrap is enabled by default for Vault Enterprise. Refer to the
[Seal wrap](/vault/docs/enterprise/sealwrap) overview for more information.

## Configuration

Seal configuration can be done through the Vault configuration file using the
`seal` stanza:

```hcl
seal [TYPE] {
  # ...
}
```

For example:

```hcl
seal "pkcs11" {
  # ...
}
```

For configuration options which also read an environment variable, the
environment variable will take precedence over values in the configuration file.

### Indirect value references

Some configuration options, considered sensitive, may use a special syntax
in the value of the option that indicates the final value should be sourced
from the environment or a file.  Two URL style forms are supported:

* `env://name`: The final value will be the contents of the environment
  variable with key `name`.
* `file://path`: The final value will be the contents of the file at
  `path`.  Path may be absolute or relative, and if relative, is relative to
  the working directory of the Vault process.

[sealwrap]: /vault/docs/enterprise/sealwrap