28aff44616
* adds documentation for entorpy augmentation * adds a link to pkcs11 seal configuration from a mention of it
1.9 KiB
1.9 KiB
| layout | page_title | sidebar_title | sidebar_current | description |
|---|---|---|---|---|
| docs | Entropy Augmentation - Configuration | <code>Entropy Augmentation</code> <sup>ENT</sup> | docs-configuration-entropy-augmentation | Entropy augmentation enables Vault to sample entropy from external cryptographic modules. |
Entropy Augmentation Seal
Entropy augmentation enables Vault to sample entropy from an external cryptographic modules.
Currently, sourcing external entropy is done through a configured PKCS11 seal.
Vault Enterprises's external entropy support is activated by the presence of an entropy "seal"
block in Vault's configuration file.
Requirements
The following software packages are required for Vault Enterprise Entropy Augmentation:
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
- The GNU libltdl library — ensure that it is installed for the correct architecture of your servers
- Governance and Policy module of a Vault Enterprise license
entropy Example
This example shows configuring entropy augmentation through a PKCS11 HSM seal from Vault's configuration file:
seal "pkcs11" {
...
}
entropy "seal" {
mode = "augmentation"
}
entropy augmentation Parameters
These parameters apply to the entropy stanza in the Vault configuration file:
mode(string: <required>): The mode determines which Vault operations requiring entropy will sample entropy from the external source. Currently, the only mode supported isaugmentationwhich sources entropy for Critical Security Parameters (CSPs).