mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-12 17:47:02 +02:00
036cbcebd9
* wip * Initial draft of Seal HA docs * nav data * Fix env var name * title * Note partially wrapped values and disabled seal participation * Update website/data/docs-nav-data.json Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * correct initial upgrade limitation * Add note about shamir seals and migration * fix nav json * snapshot note * availability note * seal-backend-status * Add a couple more clarifying statements * header typo * correct initial upgrade wording * Update website/content/docs/configuration/seal/seal-ha.mdx Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Update website/content/docs/concepts/seal.mdx Co-authored-by: Steven Clark <steven.clark@hashicorp.com> --------- Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
62 lines
2.4 KiB
Plaintext
62 lines
2.4 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Entropy Augmentation - Configuration
|
|
description: >-
|
|
Entropy augmentation enables Vault to sample entropy from external
|
|
cryptographic modules.
|
|
---
|
|
|
|
# `Entropy augmentation` seal
|
|
|
|
Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
|
|
Sourcing external entropy is done by configuring a supported [Seal](/vault/docs/configuration/seal) type which
|
|
include: [PKCS11 seal](/vault/docs/configuration/seal/pkcs11), [AWS KMS](/vault/docs/configuration/seal/awskms), and
|
|
[Vault Transit](/vault/docs/configuration/seal/transit).
|
|
Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
|
|
block in Vault's configuration file.
|
|
|
|
~> **Note**: If using the Seal High Availability Beta, entropy will be retrieved
|
|
from seals in priority order, using bytes from the first available and online seal.
|
|
|
|
## Requirements
|
|
|
|
A valid Vault Enterprise license is required for Entropy Augmentation.
|
|
|
|
~> **Warning** This feature is not available with FIPS 140-2 Inside variants of Vault.
|
|
|
|
Additionally, the following software packages and enterprise modules are required for sourcing entropy
|
|
via the [PKCS11 seal](/vault/docs/configuration/seal/pkcs11):
|
|
|
|
- Vault Enterprise with the Plus package
|
|
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
|
|
higher of PKCS#11. Depending on any given HSM, some functions (such as key
|
|
generation) may have to be performed manually.
|
|
- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl)
|
|
— ensure that it is installed for the correct architecture of your servers
|
|
|
|
## `entropy` example
|
|
|
|
This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration
|
|
file:
|
|
|
|
```hcl
|
|
seal "pkcs11" {
|
|
...
|
|
}
|
|
|
|
entropy "seal" {
|
|
mode = "augmentation"
|
|
}
|
|
```
|
|
|
|
For a more detailed tutorial, visit the [HSM Entropy Challenge](/vault/tutorials/enterprise/hsm-entropy)
|
|
on HashiCorp's Learn website.
|
|
|
|
## `entropy augmentation` parameters
|
|
|
|
These parameters apply to the `entropy` stanza in the Vault configuration file:
|
|
|
|
- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
|
|
entropy will sample entropy from the external source. Currently, the only mode supported
|
|
is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](/vault/docs/enterprise/entropy-augmentation#critical-security-parameters-csps).
|