2019-10-28 22:04:27 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: docs
|
|
|
|
|
|
page_title: Vault Enterprise Entropy Augmentation
|
|
|
|
|
|
sidebar_title: Entropy Augmentation
|
2019-10-28 22:04:27 +00:00
|
|
|
|
description: |-
|
|
|
|
|
|
Vault Enterprise features a mechanism to sample entropy from external
|
|
|
|
|
|
cryptographic modules.
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
# Entropy Augmentation
|
|
|
|
|
|
|
2020-01-25 00:18:22 +00:00
|
|
|
|
-> **Note**: This feature requires [Vault Enterprise](https://www.hashicorp.com/products/vault/)
|
|
|
|
|
|
with the Governance & Policy Module.
|
|
|
|
|
|
|
2019-11-18 23:02:12 +00:00
|
|
|
|
Vault Enterprise features a mechanism to sample entropy (or randomness for
|
2020-01-21 23:05:53 +00:00
|
|
|
|
cryptographic operations) from external cryptographic modules via the [seals](/docs/configuration/seal)
|
2019-10-28 22:04:27 +00:00
|
|
|
|
interface. While the system entropy used by Vault is more than capable of
|
|
|
|
|
|
operating in most threat models, there are some situations where additional
|
|
|
|
|
|
entropy from hardware-based random number generators is desirable.
|
|
|
|
|
|
|
|
|
|
|
|
To use this feature, you must have an active or trial license for Vault
|
|
|
|
|
|
Enterprise. To start a trial, contact [HashiCorpsales](mailto:sales@hashicorp.com).
|
|
|
|
|
|
|
|
|
|
|
|
# Critical Security Parameters (CSPs)
|
|
|
|
|
|
|
|
|
|
|
|
Entropy augmentation allows Vault Enterprise to supplement its system entropy with
|
|
|
|
|
|
entropy from an external cryptography module. Designed to operate in environments
|
|
|
|
|
|
where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
|
|
|
|
|
|
is required or when augmented entropy from external sources such as hardware true
|
|
|
|
|
|
random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
|
|
|
|
|
|
are desirable, augmented entropy replaces system entropy when performing random
|
2019-11-18 23:02:12 +00:00
|
|
|
|
number operations on critical security parameters (CSPs).
|
2019-10-28 22:04:27 +00:00
|
|
|
|
|
|
|
|
|
|
These CSPs have been selected from our previous work in [evaluating Vault for conformance with
|
|
|
|
|
|
FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
|
2019-11-18 23:02:12 +00:00
|
|
|
|
and include the following:
|
2019-10-28 22:04:27 +00:00
|
|
|
|
|
2019-11-18 23:02:12 +00:00
|
|
|
|
- Vault’s master key
|
2019-10-28 22:04:27 +00:00
|
|
|
|
- Keyring encryption keys
|
|
|
|
|
|
- Auto Unseal recovery keys
|
|
|
|
|
|
- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
|
|
|
|
|
|
- Enterprise MFA TOTP token keys
|
|
|
|
|
|
- JWT token wrapping keys
|
|
|
|
|
|
- Root tokens
|
|
|
|
|
|
- DR operation tokens
|
2020-01-21 23:05:53 +00:00
|
|
|
|
- [Transit](/docs/secrets/transit) backend key generation
|
2019-10-28 22:04:27 +00:00
|
|
|
|
|
|
|
|
|
|
## Enabling/Disabling
|
|
|
|
|
|
|
|
|
|
|
|
Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
|
2020-01-21 23:05:53 +00:00
|
|
|
|
[configuration file][configuration] must include a properly configured [entropy and seal stanza](/docs/configuration/entropy-augmentation)
|
|
|
|
|
|
for a supported seal type.
|
2019-10-28 22:04:27 +00:00
|
|
|
|
|
2020-01-21 23:05:53 +00:00
|
|
|
|
[configuration]: /docs/configuration
|
2019-11-18 23:02:12 +00:00
|
|
|
|
|
|
|
|
|
|
## Learn
|
|
|
|
|
|
|
|
|
|
|
|
Refer to the [HSM Integration - Entropy Augmentation](https://learn.hashicorp.com/vault/operations/hsm-entropy) guide
|
|
|
|
|
|
for a step-by-step tutorial.
|
