open-vault/website/content/docs/configuration/entropy-augmentation.mdx

---
layout: docs
page_title: Entropy Augmentation - Configuration
description: >-
  Entropy augmentation enables Vault to sample entropy from external
  cryptographic modules.
---

# `Entropy augmentation` seal

Entropy augmentation enables Vault to sample entropy from external cryptographic modules.
Sourcing external entropy is done by configuring a supported [Seal](/vault/docs/configuration/seal) type which
include: [PKCS11 seal](/vault/docs/configuration/seal/pkcs11), [AWS KMS](/vault/docs/configuration/seal/awskms), and
[Vault Transit](/vault/docs/configuration/seal/transit).
Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
block in Vault's configuration file.

## Requirements

A valid Vault Enterprise license is required for Entropy Augmentation.

~> **Warning** This feature is not available with FIPS 140-2 Inside variants of Vault.

Additionally, the following software packages and enterprise modules are required for sourcing entropy
via the [PKCS11 seal](/vault/docs/configuration/seal/pkcs11):

- Vault Enterprise with the Plus package
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
  higher of PKCS#11. Depending on any given HSM, some functions (such as key
  generation) may have to be performed manually.
- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl)
  — ensure that it is installed for the correct architecture of your servers

## `entropy` example

This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration
file:

```hcl
seal "pkcs11" {
    ...
}

entropy "seal" {
    mode = "augmentation"
}
```

For a more detailed tutorial, visit the [HSM Entropy Challenge](/vault/tutorials/enterprise/hsm-entropy)
on HashiCorp's Learn website.

## `entropy augmentation` parameters

These parameters apply to the `entropy` stanza in the Vault configuration file:

- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
  entropy will sample entropy from the external source. Currently, the only mode supported
  is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](/vault/docs/enterprise/entropy-augmentation#critical-security-parameters-csps).
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: Entropy Augmentation - Configuration`
			`description: >-`
			`Entropy augmentation enables Vault to sample entropy from external`
			`cryptographic modules.`
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00			`---`

Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			# `Entropy augmentation` seal
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00
Anchor Link Fixes (#8572) * update anchor link algorithm * update deps * update content component * fix a lot of broken links 2020-03-31 19:21:16 +00:00			`Entropy augmentation enables Vault to sample entropy from external cryptographic modules.`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`Sourcing external entropy is done by configuring a supported [Seal](/vault/docs/configuration/seal) type which`
			`include: [PKCS11 seal](/vault/docs/configuration/seal/pkcs11), [AWS KMS](/vault/docs/configuration/seal/awskms), and`
			`[Vault Transit](/vault/docs/configuration/seal/transit).`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			Vault Enterprises's external entropy support is activated by the presence of an `entropy "seal"`
			`block in Vault's configuration file.`
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00
			`## Requirements`

Add support notes, Entropy Augmentation notes, RH repo (#15843) * Add support notes, Entropy Augmentation notes, RH repo This adds a known-panic w.r.t. Entropy Augmentation due to restrictions in how BoringCrypto's RNG works. Additionally adds the RH Access container repository and adds a note about restricted support scenarios. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Wording changes per Scott Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> 2022-06-07 15:23:26 +00:00			`A valid Vault Enterprise license is required for Entropy Augmentation.`

			`~> Warning This feature is not available with FIPS 140-2 Inside variants of Vault.`
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00
docs: update entropy augmentation page (#8185) * docs: update entropy augmentation page * remove .html extension in links * remove .html extension in links 2020-01-21 23:05:53 +00:00			`Additionally, the following software packages and enterprise modules are required for sourcing entropy`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`via the [PKCS11 seal](/vault/docs/configuration/seal/pkcs11):`
Anchor Link Fixes (#8572) * update anchor link algorithm * update deps * update content component * fix a lot of broken links 2020-03-31 19:21:16 +00:00
docs: update packaging (#12459) * [WIP] docs: update packaging Update language to support current enterprise packaging. * Update index.mdx * Update entropy-augmentation.mdx * Update entropy-augmentation.mdx * Update control-groups.mdx * Update sealwrap.mdx * Update index.mdx * Update control-groups.mdx * Update entropy-augmentation.mdx * Update index.mdx * Update index.mdx * Update sealwrap.mdx * Update index.mdx * Update index.mdx * Update index.mdx 2021-09-08 15:59:25 +00:00			`- Vault Enterprise with the Plus package`
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00			`- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or`
			`higher of PKCS#11. Depending on any given HSM, some functions (such as key`
			`generation) may have to be performed manually.`
docs: update entropy augmentation page (#8185) * docs: update entropy augmentation page * remove .html extension in links * remove .html extension in links 2020-01-21 23:05:53 +00:00			`- The [GNU libltdl library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl)`
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00			`— ensure that it is installed for the correct architecture of your servers`
docs: update entropy augmentation page (#8185) * docs: update entropy augmentation page * remove .html extension in links * remove .html extension in links 2020-01-21 23:05:53 +00:00
Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			## `entropy` example
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00
			`This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration`
			`file:`

			```hcl
			`seal "pkcs11" {`
			`...`
			`}`

			`entropy "seal" {`
			`mode = "augmentation"`
			`}`
			```

update learn links to point to developer locations (#19026) 2023-02-07 04:34:51 +00:00			`For a more detailed tutorial, visit the [HSM Entropy Challenge](/vault/tutorials/enterprise/hsm-entropy)`
docs: update entropy augmentation page (#8185) * docs: update entropy augmentation page * remove .html extension in links * remove .html extension in links 2020-01-21 23:05:53 +00:00			`on HashiCorp's Learn website.`

Backport of [docs] Convert titles to sentense case into 1.14.x (#21921) 2023-07-18 21:07:55 +00:00			## `entropy augmentation` parameters
adds documentation for entropy augmentation (#7721) * adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it 2019-10-28 22:04:27 +00:00
			These parameters apply to the `entropy` stanza in the Vault configuration file:

			- `mode` `(string: <required>)`: The mode determines which Vault operations requiring
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`entropy will sample entropy from the external source. Currently, the only mode supported`
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			is `augmentation` which sources entropy for [Critical Security Parameters (CSPs)](/vault/docs/enterprise/entropy-augmentation#critical-security-parameters-csps).