mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 15:11:07 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/configuration/entropy-augmentation.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

67 lines
3.1 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: Configure entropy augmentation
description: >-
Configure entropy augmentation to sample entropy from external cryptographic
modules when sealing Vault.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Configure entropy augmentation
Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
Sourcing external entropy is done by configuring a supported [Seal](/vault/docs/configuration/seal) type which
include: [PKCS11 seal](/vault/docs/configuration/seal/pkcs11), [AWS KMS](/vault/docs/configuration/seal/awskms), and
[Vault Transit](/vault/docs/configuration/seal/transit).
Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
block in Vault's configuration file.
~> **Note**: If using the Seal High Availability Beta, entropy will be retrieved
from seals in priority order, using bytes from the first available and online seal.
## Requirements
A valid Vault Enterprise license is required for Entropy Augmentation.
~> **Warning** This feature is not available with FIPS 140-3 Inside variants of Vault.
Additionally, the following software packages and enterprise modules are required for sourcing entropy
via the [PKCS11 seal](/vault/docs/configuration/seal/pkcs11):
- Vault Enterprise with the Plus package
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
higher of PKCS#11. Depending on any given HSM, some functions (such as key
generation) may have to be performed manually.
- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl)
— ensure that it is installed for the correct architecture of your servers
## `entropy` example
This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration
file:
```hcl
seal "pkcs11" {
...
}
entropy "seal" {
mode = "augmentation"
}
```
For a more detailed tutorial, visit the [HSM Entropy Challenge](/vault/tutorials/enterprise/hsm-entropy)
on HashiCorp's Learn website.
## `entropy augmentation` parameters
These parameters apply to the `entropy` stanza in the Vault configuration file:
- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
entropy will sample entropy from the external source. Currently, the only mode supported
is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](/vault/docs/enterprise/entropy-augmentation#critical-security-parameters-csps).
- `seal_name` `(string: '')`: Specifies which seal (by name) in a [Seal HA](/vault/docs/concepts/seal#seal-high-availability) setup to use to source entropy.
By default, Vault sources entropy from the first available seal moving from lowest to highest priority.
Reference in New Issue View Git Blame Copy Permalink