2017-11-14 11:13:11 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
|
page_title: Seals - Configuration
|
|
|
|
|
description: >-
|
|
|
|
|
The seal stanza configures the seal type to use for additional data
|
|
|
|
|
protection.
|
2017-11-14 11:13:11 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# `seal` Stanza
|
|
|
|
|
|
|
|
|
|
The `seal` stanza configures the seal type to use for additional data
|
|
|
|
|
protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
|
2022-03-17 05:01:38 +00:00
|
|
|
root key. This stanza is optional, and in the case of the root key, Vault
|
|
|
|
|
will use the Shamir algorithm to cryptographically split the root key if this
|
2017-11-14 11:13:11 +00:00
|
|
|
is not configured.
|
|
|
|
|
|
2017-11-14 17:26:58 +00:00
|
|
|
As of Vault 0.9.0, the seal can also be used for [seal wrapping][sealwrap] to
|
2020-01-18 00:18:09 +00:00
|
|
|
add an extra layer of protection and satisfy compliance and regulatory requirements.
|
2018-10-25 23:44:53 +00:00
|
|
|
This feature is only available in Vault Enterprise.
|
2017-11-14 11:13:11 +00:00
|
|
|
|
2017-11-14 18:12:35 +00:00
|
|
|
For more examples, please choose a specific auto unsealing technology from the
|
|
|
|
|
sidebar.
|
|
|
|
|
|
2017-11-14 11:13:11 +00:00
|
|
|
## Configuration
|
|
|
|
|
|
|
|
|
|
Seal configuration can be done through the Vault configuration file using the
|
|
|
|
|
`seal` stanza:
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
seal [NAME] {
|
2017-11-14 18:12:35 +00:00
|
|
|
# ...
|
2017-11-14 11:13:11 +00:00
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
seal "pkcs11" {
|
2017-11-14 18:12:35 +00:00
|
|
|
# ...
|
2017-11-14 11:13:11 +00:00
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
For configuration options which also read an environment variable, the
|
|
|
|
|
environment variable will take precedence over values in the configuration file.
|
|
|
|
|
|
2023-01-26 00:12:15 +00:00
|
|
|
[sealwrap]: /vault/docs/enterprise/sealwrap
|
