mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 02:27:02 +02:00
036cbcebd9
* wip * Initial draft of Seal HA docs * nav data * Fix env var name * title * Note partially wrapped values and disabled seal participation * Update website/data/docs-nav-data.json Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * correct initial upgrade limitation * Add note about shamir seals and migration * fix nav json * snapshot note * availability note * seal-backend-status * Add a couple more clarifying statements * header typo * correct initial upgrade wording * Update website/content/docs/configuration/seal/seal-ha.mdx Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * Update website/content/docs/concepts/seal.mdx Co-authored-by: Steven Clark <steven.clark@hashicorp.com> --------- Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
47 lines
1.2 KiB
Plaintext
47 lines
1.2 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Seals - Configuration
|
|
description: >-
|
|
The seal stanza configures the seal type to use for additional data
|
|
protection.
|
|
---
|
|
|
|
# `seal` stanza
|
|
|
|
The `seal` stanza configures the seal type to use for additional data
|
|
protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
|
|
root key. This stanza is optional, and in the case of the root key, Vault
|
|
will use the Shamir algorithm to cryptographically split the root key if this
|
|
is not configured.
|
|
|
|
## Seal wrapping <EnterpriseAlert inline="true" product="vault" />
|
|
|
|
The seal can also be used for seal wrapping to add an extra layer of protection
|
|
and satisfy compliance and regulatory requirements.
|
|
|
|
Seal wrap is enabled by default for Vault Enterprise. Refer to the
|
|
[Seal wrap](/vault/docs/enterprise/sealwrap) overview for more information.
|
|
|
|
## Configuration
|
|
|
|
Seal configuration can be done through the Vault configuration file using the
|
|
`seal` stanza:
|
|
|
|
```hcl
|
|
seal [TYPE] {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For example:
|
|
|
|
```hcl
|
|
seal "pkcs11" {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For configuration options which also read an environment variable, the
|
|
environment variable will take precedence over values in the configuration file.
|
|
|
|
[sealwrap]: /vault/docs/enterprise/sealwrap |