open-vault/website/content/docs/enterprise/sealwrap.mdx

---
layout: docs
page_title: Vault Enterprise Seal Wrap
description: |-
  Vault Enterprise features a mechanism to wrap values with an extra layer of
  encryption for supporting seals.
---

# Seal wrap

-> **Note**: This feature requires [Vault Enterprise Plus](https://www.hashicorp.com/products/vault/).

Vault Enterprise features a mechanism to wrap values with an extra layer of
encryption for supporting [seals](/vault/docs/configuration/seal). This adds an
extra layer of protection and is useful in some compliance and regulatory
environments, including FIPS 140-2 environments.

To use this feature, you must have an active or trial license for Vault
Enterprise Plus (HSMs). To start a trial, contact [HashiCorp
sales](mailto:sales@hashicorp.com).

## Enabling/Disabling

Seal Wrap is enabled by default on supporting seals. This implies that the seal
must be available throughout Vault's runtime. Most cloud-based seals should be
quite reliable, but, for instance, if using an HSM in a non-HA setup a
connection interruption to the HSM will result in issues with Vault
functionality.

To disable seal wrapping, set `disable_sealwrap = true` in Vault's
[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's
root key will still be protected by the seal wrapping mechanism. It will
simply prevent other storage entries within Vault from being seal wrapped.

_N.B._: This is a lazy downgrade; as keys are accessed or written their seal
wrapping status will change. Similarly, if the flag is removed, it will be a
lazy upgrade (which is the case when initially upgrading to a seal
wrap-supporting version of Vault).

## Activating seal wrapping

For some values, seal wrapping is always enabled with a supporting seal. This
includes the recovery key, any stored key shares, the root key, the keyring,
and more; essentially, any Critical Security Parameter (CSP) within Vault's
core. If upgrading from a version of Vault that did not support seal wrapping,
the next time these values are read they will be seal-wrapped and stored.

Backend mounts within Vault can also take advantage of seal wrapping. Seal
wrapping can be activated at mount time for a given mount by mounting the
backend with the `seal_wrap` configuration value set to `true`. (This value
cannot currently be changed later.)

A given backend's author can specify which values should be seal-wrapped by
identifying where CSPs are stored.  They may also choose to seal wrap all or none
of their values.

Note that it is often an order of magnitude or two slower to write to and read
from HSMs or remote seals. However, values will be cached in memory
un-seal-wrapped (but still encrypted by Vault's built-in cryptographic barrier)
in Vault, which will mitigate this for read-heavy workloads.

## Seal wrap and replication

Seal wrapping takes place below the replication logic. As a result, it is
transparent to replication. Replication will convey which values should be
seal-wrapped, but it is up to the seal on the local cluster to implement it.
In practice, this means that seal wrapping can be used without needing to have
the replicated keys on both ends of the connection; each cluster can have
distinct keys in an HSM or in KMS.

In addition, it is possible to replicate from a Shamir-protected primary
cluster to clusters that use HSMs when seal wrapping is required in downstream
datacenters but not in the primary.

## Wrapped parameters

Each plugin (whether secret or auth) maintains control over parameters it
feels are best to Seal Wrap. These are usually just a few core values as
Seal Wrapping does incur some performance overhead.

Some examples of places where seal wrapping is used include:

- The [LDAP](/vault/docs/auth/ldap), [RADIUS](/vault/docs/auth/radius),
  [Okta](/vault/docs/auth/okta), and [AWS](/vault/docs/auth/aws) auth methods,
  for storing their config.
- [PKI](/vault/docs/secrets/pki) for storing the issuers and their keys,
- [SSH](/vault/docs/secrets/ssh) for storing the CA's keys,
- [KMIP](/vault/docs/secrets/kmip) for storing managed objects (externally-provided
  keys) and its CA keys.
- [Transit](/vault/docs/secrets/transit) for storing keys and their policy.

## FIPS status

See the [FIPS-specific Seal Wrap documentation](/vault/docs/enterprise/fips/sealwrap)
for more information about using Seal Wrapping to achieve FIPS 140-2 compliance.
Note that there are additional [FIPS considerations](/vault/docs/enterprise/sealwrap#seal-wrap-and-replication)
regarding Seal Wrap usage and Vault Replication.

[configuration]: /vault/docs/configuration
Sync docs 2017-11-14 11:13:11 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Vault Enterprise Seal Wrap`
Sync docs 2017-11-14 11:13:11 +00:00			`description: \|-`
			`Vault Enterprise features a mechanism to wrap values with an extra layer of`
Start documentation for FIPS variants of Vault Enterprise (#15475) * Begin restructuring FIPS documentation This creates a new FIPS category under Enterprise and copies the FIPS-specific seal wrap documentation into it. We leave the existing Seal Wrap page at the old path, but document that the FIPS-specific portions of it have moved. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add initial FIPS 140-2 inside documentation This documents the new FIPS 140-2 Inside binary and how to use and validate it. This also documents which algorithms are certified for use in the BoringCrypto distribution. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add notes about FIPS algorithm restrictions Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-05-17 20:28:20 +00:00			`encryption for supporting seals.`
Sync docs 2017-11-14 11:13:11 +00:00			`---`

Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			`# Seal wrap`
Sync docs 2017-11-14 11:13:11 +00:00
docs: update packaging (#12459) * [WIP] docs: update packaging Update language to support current enterprise packaging. * Update index.mdx * Update entropy-augmentation.mdx * Update entropy-augmentation.mdx * Update control-groups.mdx * Update sealwrap.mdx * Update index.mdx * Update control-groups.mdx * Update entropy-augmentation.mdx * Update index.mdx * Update index.mdx * Update sealwrap.mdx * Update index.mdx * Update index.mdx * Update index.mdx 2021-09-08 15:59:25 +00:00			`-> Note: This feature requires [Vault Enterprise Plus](https://www.hashicorp.com/products/vault/).`
Adding pricing module note for enterprise features (#8217) * adding pricing module note for enterprise features * fixing incorrectly committed go.mod 2020-01-25 00:18:22 +00:00
Sync docs 2017-11-14 11:13:11 +00:00			`Vault Enterprise features a mechanism to wrap values with an extra layer of`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`encryption for supporting [seals](/vault/docs/configuration/seal). This adds an`
Sync docs 2017-11-14 11:13:11 +00:00			`extra layer of protection and is useful in some compliance and regulatory`
			`environments, including FIPS 140-2 environments.`

			`To use this feature, you must have an active or trial license for Vault`
docs: updated enterprise package name (#12667) Updated docs to align with Enterprise package name. 2021-09-29 14:17:31 +00:00			`Enterprise Plus (HSMs). To start a trial, contact [HashiCorp`
Sync docs 2017-11-14 11:13:11 +00:00			`sales](mailto:sales@hashicorp.com).`

Document the disable_sealwrap parameter 2018-02-12 20:20:07 +00:00			`## Enabling/Disabling`

Minor website wording updates 2018-02-12 20:28:06 +00:00			`Seal Wrap is enabled by default on supporting seals. This implies that the seal`
			`must be available throughout Vault's runtime. Most cloud-based seals should be`
			`quite reliable, but, for instance, if using an HSM in a non-HA setup a`
			`connection interruption to the HSM will result in issues with Vault`
Document the disable_sealwrap parameter 2018-02-12 20:20:07 +00:00			`functionality.`

			To disable seal wrapping, set `disable_sealwrap = true` in Vault's
Minor website wording updates 2018-02-12 20:28:06 +00:00			`[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's`
Rename master key -> root key in docs (#14542) 2022-03-17 05:01:38 +00:00			`root key will still be protected by the seal wrapping mechanism. It will`
Document the disable_sealwrap parameter 2018-02-12 20:20:07 +00:00			`simply prevent other storage entries within Vault from being seal wrapped.`

New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`_N.B._: This is a lazy downgrade; as keys are accessed or written their seal`
Document the disable_sealwrap parameter 2018-02-12 20:20:07 +00:00			`wrapping status will change. Similarly, if the flag is removed, it will be a`
Minor website wording updates 2018-02-12 20:28:06 +00:00			`lazy upgrade (which is the case when initially upgrading to a seal`
			`wrap-supporting version of Vault).`
Document the disable_sealwrap parameter 2018-02-12 20:20:07 +00:00
Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			`## Activating seal wrapping`
Sync docs 2017-11-14 11:13:11 +00:00
			`For some values, seal wrapping is always enabled with a supporting seal. This`
Rename master key -> root key in docs (#14542) 2022-03-17 05:01:38 +00:00			`includes the recovery key, any stored key shares, the root key, the keyring,`
Sync docs 2017-11-14 11:13:11 +00:00			`and more; essentially, any Critical Security Parameter (CSP) within Vault's`
			`core. If upgrading from a version of Vault that did not support seal wrapping,`
			`the next time these values are read they will be seal-wrapped and stored.`

			`Backend mounts within Vault can also take advantage of seal wrapping. Seal`
			`wrapping can be activated at mount time for a given mount by mounting the`
			backend with the `seal_wrap` configuration value set to `true`. (This value
			`cannot currently be changed later.)`

			`A given backend's author can specify which values should be seal-wrapped by`
Clarify that backend authors can specify that all or no values are sealwrapped (#13813) * Clarify that backend authors can specify that all or no values are sealwrapped rather than the vague statement that all values _may_ be seal wrapped * typo 2022-01-27 21:30:55 +00:00			`identifying where CSPs are stored. They may also choose to seal wrap all or none`
			`of their values.`
Sync docs 2017-11-14 11:13:11 +00:00
			`Note that it is often an order of magnitude or two slower to write to and read`
			`from HSMs or remote seals. However, values will be cached in memory`
			`un-seal-wrapped (but still encrypted by Vault's built-in cryptographic barrier)`
			`in Vault, which will mitigate this for read-heavy workloads.`

Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			`## Seal wrap and replication`
Sync docs 2017-11-14 11:13:11 +00:00
			`Seal wrapping takes place below the replication logic. As a result, it is`
			`transparent to replication. Replication will convey which values should be`
			`seal-wrapped, but it is up to the seal on the local cluster to implement it.`
			`In practice, this means that seal wrapping can be used without needing to have`
			`the replicated keys on both ends of the connection; each cluster can have`
			`distinct keys in an HSM or in KMS.`

			`In addition, it is possible to replicate from a Shamir-protected primary`
			`cluster to clusters that use HSMs when seal wrapping is required in downstream`
			`datacenters but not in the primary.`

Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			`## Wrapped parameters`
Add KMIP CSPs + initial Seal Wrap list (#16515) * Add note on KMIP EA usage Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add wrapped parameters section to Seal Wrap docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-08-01 14:32:47 +00:00
			`Each plugin (whether secret or auth) maintains control over parameters it`
			`feels are best to Seal Wrap. These are usually just a few core values as`
			`Seal Wrapping does incur some performance overhead.`

			`Some examples of places where seal wrapping is used include:`

docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`- The [LDAP](/vault/docs/auth/ldap), [RADIUS](/vault/docs/auth/radius),`
			`[Okta](/vault/docs/auth/okta), and [AWS](/vault/docs/auth/aws) auth methods,`
Add KMIP CSPs + initial Seal Wrap list (#16515) * Add note on KMIP EA usage Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add wrapped parameters section to Seal Wrap docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-08-01 14:32:47 +00:00			`for storing their config.`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`- [PKI](/vault/docs/secrets/pki) for storing the issuers and their keys,`
			`- [SSH](/vault/docs/secrets/ssh) for storing the CA's keys,`
			`- [KMIP](/vault/docs/secrets/kmip) for storing managed objects (externally-provided`
Add KMIP CSPs + initial Seal Wrap list (#16515) * Add note on KMIP EA usage Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add wrapped parameters section to Seal Wrap docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-08-01 14:32:47 +00:00			`keys) and its CA keys.`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`- [Transit](/vault/docs/secrets/transit) for storing keys and their policy.`
Add KMIP CSPs + initial Seal Wrap list (#16515) * Add note on KMIP EA usage Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add wrapped parameters section to Seal Wrap docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-08-01 14:32:47 +00:00
Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			`## FIPS status`
Start documentation for FIPS variants of Vault Enterprise (#15475) * Begin restructuring FIPS documentation This creates a new FIPS category under Enterprise and copies the FIPS-specific seal wrap documentation into it. We leave the existing Seal Wrap page at the old path, but document that the FIPS-specific portions of it have moved. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add initial FIPS 140-2 inside documentation This documents the new FIPS 140-2 Inside binary and how to use and validate it. This also documents which algorithms are certified for use in the BoringCrypto distribution. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add notes about FIPS algorithm restrictions Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-05-17 20:28:20 +00:00
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`See the [FIPS-specific Seal Wrap documentation](/vault/docs/enterprise/fips/sealwrap)`
Start documentation for FIPS variants of Vault Enterprise (#15475) * Begin restructuring FIPS documentation This creates a new FIPS category under Enterprise and copies the FIPS-specific seal wrap documentation into it. We leave the existing Seal Wrap page at the old path, but document that the FIPS-specific portions of it have moved. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add initial FIPS 140-2 inside documentation This documents the new FIPS 140-2 Inside binary and how to use and validate it. This also documents which algorithms are certified for use in the BoringCrypto distribution. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add notes about FIPS algorithm restrictions Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-05-17 20:28:20 +00:00			`for more information about using Seal Wrapping to achieve FIPS 140-2 compliance.`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`Note that there are additional [FIPS considerations](/vault/docs/enterprise/sealwrap#seal-wrap-and-replication)`
Start documentation for FIPS variants of Vault Enterprise (#15475) * Begin restructuring FIPS documentation This creates a new FIPS category under Enterprise and copies the FIPS-specific seal wrap documentation into it. We leave the existing Seal Wrap page at the old path, but document that the FIPS-specific portions of it have moved. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add initial FIPS 140-2 inside documentation This documents the new FIPS 140-2 Inside binary and how to use and validate it. This also documents which algorithms are certified for use in the BoringCrypto distribution. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add notes about FIPS algorithm restrictions Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-05-17 20:28:20 +00:00			`regarding Seal Wrap usage and Vault Replication.`
Minor website wording updates 2018-02-12 20:28:06 +00:00
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`[configuration]: /vault/docs/configuration`