Skip to main content
This document provides information about configuring our HSMs with HashiCorp Vault by using PKCS #11 libraries. For additional questions about your HSM, see the relevant administrator guide.

Application description

Vault Enterprise integrates with Hardware Security Module (HSM) platforms to provide the following functionality:
FunctionalityDescription
Master Key WrappingVault protects its master key by transiting it through the HSM for encryption rather than splitting it into key shares.
Automatic UnsealingVault stores its encrypted master key in storage, allowing for automatic unsealing.
Seal WrappingSeal wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters.
Entropy AugmentationEnables Vault to leverage the HSM for augmenting system entropy.
Vault creates two AES-256 keys on the HSM: One for encrypting and decrypting and the other for generating and verifying MACs.

Master Key Wrapping and Automatic Unsealing

In some large organizations, designating key officers who must be available to unseal Vault installations can be complex because the most common pattern is to deploy Vault immutably. Thus, automating unseal by using an HSM provides a simplified yet secure way of unsealing Vault nodes as you deploy them. Vault pulls its encrypted master key from storage and transits it through the HSM for decryption by using the PKCS #11 API. After it decrypts the master key, Vault uses the master key to decrypt the encryption key to resume Vault operations.

Seal Wrapping

Vault encrypts secrets by using 256-bit AES in GCM mode with a randomly generated nonce before writing them to its persistent storage. When you enable Seal Wrap, Vault wraps your secrets with an extra layer of encryption, leveraging the HSM encryption and decryption.

Benefits of the Seal Wrap

Seal Wrap has the following benefits:
  • Conforms with FIPS 140-2 directives on Key Storage and Key Transport as certified by Leidos.
  • Supports FIPS level of security equal to HSM.
    • For example, if you use Level 3 hardware encryption on an HSM, Vault uses FIPS 140-2 Level 3 cryptography.
  • Enables you to deploy Vault in high-security Governance, risk management, and compliance (GRC) environments (for example, PCI-DSS, HIPAA) where FIPS guidelines are important for external audits.
  • Provides a pathway for using Vault in managing Department of Defense’s (DOD) or North Atlantic Treaty Organization (NATO) military secrets.

Entropy Augmentation

Entropy Augmentation enables Vault to leverage the HSM for augmenting system entropy. With Entropy Augmentation enabled, the following keys and tokens leverage the configured external entropy source.
OperationDescription
Master KeyThe AES key encrypted by the seal mechanism. This key encrypts the key ring.
Key Ring Encryption KeysThe keys that encrypt all of the Vault storage are embedded in the Vault keyring.
Recovery KeyWith auto-unseal, use the recovery keys to regenerate the root token, key rotation, and so on.
TLS Private KeysFor HA leader, Raft and Enterprise Replications.
MFA TOTP KeysThe keys used for TOTP in Vault Enterprise MFA
JWT Signing KeysThe keys used to sign wrapping token JWTs.
Root TokensSuperuser tokens grants access to all operations in Vault.
DR Operation TokensToken that allows certain actions to be performed on a DR secondary.
The transit secrets engine manages several different key types and leverages the keysutil package (godoc.org/github.com/hashicorp/vault/sdk/helper/keysutil) to generate keys. It uses the external entropy source for key generation.

Guardian integration

The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
  • Centralization of device management
  • Elimination of points of failure
  • Distribution of transaction loads
  • Group-specific function blocking
  • User-defined grouping systems
See the applicable guide in the Futurex Portal for configuring HSMs with the Guardian Series 3, including PKCS #11 and CNG configuration.