mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/enterprise/entropy-augmentation.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

95 lines
5.2 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: Augment entropy with external sampling
description: >-
Sample entropy from external cryptographic modules to augment Vault defaults.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# Augment entropy with external sampling
@include 'alerts/enterprise-only.mdx'
<Warning>
Entropy augmentation <b>is not</b> available with "FIPS 140-3 Inside" variants of
Vault.
</Warning>
Vault Enterprise features a mechanism to sample entropy (or randomness for
cryptographic operations) from external cryptographic modules via the [seals](/vault/docs/configuration/seal)
interface. While the system entropy used by Vault is more than capable of
operating in most threat models, there are some situations where additional
entropy from hardware-based random number generators is desirable.
With Entropy Augmentation enabled, the following keys and tokens leverage the
configured external entropy source.
| Operation | Description |
| ------------------------ | ------------------------------------------------------------------------------------ |
| Root Key | AES key that is encrypted by the seal mechanism. This encrypts the key ring. |
| Key Ring Encryption Keys | The keys embedded in Vault's keyring which encrypt all of Vault's storage. |
| Recovery Key | With auto-unseal, use the recovery keys to regenerate root token, key rotation, etc. |
| TLS Private Keys | For HA leader, Raft and Enterprise Replications. |
| MFA TOTP Keys | The keys used for TOTP in Vault Enterprise MFA |
| JWT Signing Keys | The keys used to sign wrapping token JWTs. |
| Root Tokens | Superuser tokens granting access to all operations in Vault. |
| DR Operation Tokens | Token that allows certain actions to be performed on a DR secondary. |
The [transit secrets engine](/vault/docs/secrets/transit) manages a number of
different key types and leverages the
[`keysutil`](https://godoc.org/github.com/hashicorp/vault/sdk/helper/keysutil)
package to generate keys. It will use the external entropy source for key
generation.
<Warning>
When you enable the external entropy source, Vault requires connectivity to the
HSM. If the HSM becomes unreachable for any reason, the transit secrets engine
can't generate new keys or rotate existing keys.
</Warning>
To use this feature, you must have an active or trial license for Vault
Enterprise. To start a trial, contact [HashiCorp sales](mailto:sales@hashicorp.com).
# Critical security parameters (CSPs)
Entropy augmentation allows Vault Enterprise to supplement its system entropy with
entropy from an external cryptography module. Designed to operate in environments
where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
is required or when augmented entropy from external sources such as hardware true
random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
are desirable, augmented entropy replaces system entropy when performing random
number operations on critical security parameters (CSPs).
These CSPs have been selected from our previous work in [evaluating Vault for conformance with
FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
and include (but not limited to) the following:
- Vault's root key
- Keyring encryption keys
- Auto Unseal recovery keys
- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
- Enterprise MFA TOTP token keys
- JWT token wrapping keys
- Root tokens
- DR operation tokens
- [Transit](/vault/docs/secrets/transit) backend key generation and `/random` endpoint (`/random` only on Vault 1.11+)
- [PKI](/vault/docs/secrets/pki) issuer key generation, but not for leaf certificate private keys
- [`/sys/tools/random`](/vault/api-docs/system/tools#generate-random-bytes) endpoint (Vault 1.11+)
- [SSH](/vault/docs/secrets/ssh) CA key generation, but not for key pair generation
- [KMIP](/vault/docs/secrets/kmip) uses EA for its TLS CA, server, and client
certificates.
- TOTP two factor keys.
## Enabling/Disabling
Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
[configuration file][configuration] must include a properly configured [entropy and seal stanza](/vault/docs/configuration/entropy-augmentation)
for a supported seal type.
[configuration]: /vault/docs/configuration
Reference in New Issue View Git Blame Copy Permalink