open-vault/website/content/docs/enterprise/entropy-augmentation.mdx

65 lines
3.2 KiB
Plaintext
Raw Normal View History

---
layout: docs
page_title: Vault Enterprise Entropy Augmentation
description: |-
Vault Enterprise features a mechanism to sample entropy from external
cryptographic modules.
---
# Entropy augmentation
-> **Note**: This feature requires [Vault Enterprise Plus](https://www.hashicorp.com/products/vault/).
~> **Warning** This feature is not available with FIPS 140-2 Inside variants of Vault.
Vault Enterprise features a mechanism to sample entropy (or randomness for
cryptographic operations) from external cryptographic modules via the [seals](/vault/docs/configuration/seal)
interface. While the system entropy used by Vault is more than capable of
operating in most threat models, there are some situations where additional
entropy from hardware-based random number generators is desirable.
To use this feature, you must have an active or trial license for Vault
Enterprise. To start a trial, contact [HashiCorp sales](mailto:sales@hashicorp.com).
# Critical security parameters (CSPs)
Entropy augmentation allows Vault Enterprise to supplement its system entropy with
entropy from an external cryptography module. Designed to operate in environments
where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
is required or when augmented entropy from external sources such as hardware true
random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
are desirable, augmented entropy replaces system entropy when performing random
number operations on critical security parameters (CSPs).
These CSPs have been selected from our previous work in [evaluating Vault for conformance with
FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
and include the following:
- Vaults root key
- Keyring encryption keys
- Auto Unseal recovery keys
- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
- Enterprise MFA TOTP token keys
- JWT token wrapping keys
- Root tokens
- DR operation tokens
- [Transit](/vault/docs/secrets/transit) backend key generation and `/random` endpoint (`/random` only on Vault 1.11+)
- [PKI](/vault/docs/secrets/pki) issuer key generation, but not for leaf certificate private keys
- [`/sys/tools/random`](/vault/api-docs/system/tools#generate-random-bytes) endpoint (Vault 1.11+)
- [SSH](/vault/docs/secrets/ssh) CA key generation, but not for key pair generation
- [KMIP](/vault/docs/secrets/kmip) uses EA for its TLS CA, server, and client
certificates.
## Enabling/Disabling
Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
[configuration file][configuration] must include a properly configured [entropy and seal stanza](/vault/docs/configuration/entropy-augmentation)
for a supported seal type.
[configuration]: /vault/docs/configuration
## Tutorial
Refer to the [HSM Integration - Entropy Augmentation](/vault/tutorials/enterprise/hsm-entropy) tutorial
to learn how to use the Entropy Augmentation function to leverage an external Hardware Security Module to augment system entropy.