f3df55ad58
* Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
47 lines
1.2 KiB
Plaintext
47 lines
1.2 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Seals - Configuration
|
|
description: >-
|
|
The seal stanza configures the seal type to use for additional data
|
|
protection.
|
|
---
|
|
|
|
# `seal` Stanza
|
|
|
|
The `seal` stanza configures the seal type to use for additional data
|
|
protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the
|
|
root key. This stanza is optional, and in the case of the root key, Vault
|
|
will use the Shamir algorithm to cryptographically split the root key if this
|
|
is not configured.
|
|
|
|
As of Vault 0.9.0, the seal can also be used for [seal wrapping][sealwrap] to
|
|
add an extra layer of protection and satisfy compliance and regulatory requirements.
|
|
This feature is only available in Vault Enterprise.
|
|
|
|
For more examples, please choose a specific auto unsealing technology from the
|
|
sidebar.
|
|
|
|
## Configuration
|
|
|
|
Seal configuration can be done through the Vault configuration file using the
|
|
`seal` stanza:
|
|
|
|
```hcl
|
|
seal [NAME] {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For example:
|
|
|
|
```hcl
|
|
seal "pkcs11" {
|
|
# ...
|
|
}
|
|
```
|
|
|
|
For configuration options which also read an environment variable, the
|
|
environment variable will take precedence over values in the configuration file.
|
|
|
|
[sealwrap]: /vault/docs/enterprise/sealwrap
|