mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-16 19:47:02 +02:00
48 lines
1.2 KiB
Plaintext
48 lines
1.2 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Seals - Configuration
|
|
description: >-
|
|
The seal stanza configures the seal type to use for additional data
|
|
protection.
|
|
---
|
|
|
|
# `seal` stanza
|
|
|
|
The `seal` stanza configures the seal type to use for additional data
|
|
protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
|
|
root key. This stanza is optional, and in the case of the root key, Vault
|
|
will use the Shamir algorithm to cryptographically split the root key if this
|
|
is not configured.
|
|
|
|
## Seal wrapping <EnterpriseAlert inline="true" product="vault" />
|
|
|
|
The seal can also be used for seal wrapping to add an extra layer of protection
|
|
and satisfy compliance and regulatory requirements.
|
|
|
|
Seal wrap is enabled by default for Vault Enterprise. Refer to the
|
|
[Seal wrap](/vault/docs/enterprise/sealwrap) overview for more information.
|
|
|
|
## Configuration
|
|
|
|
Seal configuration can be done through the Vault configuration file using the
|
|
`seal` stanza:
|
|
|
|
```hcl
|
|
seal [NAME] {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For example:
|
|
|
|
```hcl
|
|
seal "pkcs11" {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For configuration options which also read an environment variable, the
|
|
environment variable will take precedence over values in the configuration file.
|
|
|
|
[sealwrap]: /vault/docs/enterprise/sealwrap
|