718a5f04c9
* [WIP] docs: update packaging Update language to support current enterprise packaging. * Update index.mdx * Update entropy-augmentation.mdx * Update entropy-augmentation.mdx * Update control-groups.mdx * Update sealwrap.mdx * Update index.mdx * Update control-groups.mdx * Update entropy-augmentation.mdx * Update index.mdx * Update index.mdx * Update sealwrap.mdx * Update index.mdx * Update index.mdx * Update index.mdx
58 lines
2.6 KiB
Plaintext
58 lines
2.6 KiB
Plaintext
---
|
||
layout: docs
|
||
page_title: Vault Enterprise Entropy Augmentation
|
||
description: |-
|
||
Vault Enterprise features a mechanism to sample entropy from external
|
||
cryptographic modules.
|
||
---
|
||
|
||
# Entropy Augmentation
|
||
|
||
-> **Note**: This feature requires [Vault Enterprise Plus](https://www.hashicorp.com/products/vault/).
|
||
|
||
Vault Enterprise features a mechanism to sample entropy (or randomness for
|
||
cryptographic operations) from external cryptographic modules via the [seals](/docs/configuration/seal)
|
||
interface. While the system entropy used by Vault is more than capable of
|
||
operating in most threat models, there are some situations where additional
|
||
entropy from hardware-based random number generators is desirable.
|
||
|
||
To use this feature, you must have an active or trial license for Vault
|
||
Enterprise. To start a trial, contact [HashiCorp sales](mailto:sales@hashicorp.com).
|
||
|
||
# Critical Security Parameters (CSPs)
|
||
|
||
Entropy augmentation allows Vault Enterprise to supplement its system entropy with
|
||
entropy from an external cryptography module. Designed to operate in environments
|
||
where alignment with cryptographic regulations like [NIST SP800-90B](https://csrc.nist.gov/publications/detail/sp/800-90b/final)
|
||
is required or when augmented entropy from external sources such as hardware true
|
||
random number generators (TRNGs) or [quantum computing TRNGs](https://www.hashicorp.com/blog/quantum-security-and-cryptography-in-hashicorp-vault/)
|
||
are desirable, augmented entropy replaces system entropy when performing random
|
||
number operations on critical security parameters (CSPs).
|
||
|
||
These CSPs have been selected from our previous work in [evaluating Vault for conformance with
|
||
FIPS 140-2 guidelines for key storage and key transport](https://www.datocms-assets.com/2885/1510600487-vault_compliance_letter_fips_140-2.pdf)
|
||
and include the following:
|
||
|
||
- Vault’s master key
|
||
- Keyring encryption keys
|
||
- Auto Unseal recovery keys
|
||
- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
|
||
- Enterprise MFA TOTP token keys
|
||
- JWT token wrapping keys
|
||
- Root tokens
|
||
- DR operation tokens
|
||
- [Transit](/docs/secrets/transit) backend key generation
|
||
|
||
## Enabling/Disabling
|
||
|
||
Entropy augmentation is disabled by default. To enable entropy augmentation Vault's
|
||
[configuration file][configuration] must include a properly configured [entropy and seal stanza](/docs/configuration/entropy-augmentation)
|
||
for a supported seal type.
|
||
|
||
[configuration]: /docs/configuration
|
||
|
||
## Learn
|
||
|
||
Refer to the [HSM Integration - Entropy Augmentation](https://learn.hashicorp.com/vault/operations/hsm-entropy) guide
|
||
for a step-by-step tutorial.
|