Secrets management

HashiCorp Vault

2min

HashiCorp Vault is an identity-based secrets and encryption management system that provides encryption services that are gated by authentication and authorization methods. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, and certificates.

Integration benefits

Vault Enterprise integrates with HSM platforms to provide the following special functionality:

  • Master Key Wrapping: Vault protects its master key by transiting it through the HSM for encryption rather than splitting it into key shares
  • Automatic Unsealing: Vault stores its encrypted master key in storage, enabling automatic unsealing
  • Seal Wrapping: Provides FIPS KeyStorage-conforming functionality for Critical Security Parameters.
  • Entropy Augmentation: Enables Vault to leverage the for augmenting system entropy
  • Master Key Wrapping and Automatic Unsealing: Some large organizations use complex processes to designate key officers who must be available to unseal Vault installations because the most common pattern is to deploy Vault immutably. As such, automating unseal by using an HSM provides a simplified yet secure way of unsealing Vault nodes when you deploy them. Vault pulls its encrypted master key from storage and transits it through the HSM for decryption through PKCS #11 API. After it decrypts the master key, Vault uses the master key to decrypt the encryption key to resume Vault operations.
  • Seal Wrapping: Vault encrypts secrets using 256-bit AES in GCM mode with a randomly generated nonce before writing them to its persistent storage. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption, leveraging the HSM encryption and decryption.

Benefits of the Seal Wrap

Seal Wrap functionality provides the following benefits:

  • Conform with FIPS 140-2 directives on Key Storage and Key Transport as certified by Leidos
  • Support the FIPS level of security to be equal to HSM. For example, if you use Level 3 hardware encryption on an HSM, Vault uses FIPS 140-2 Level 3 cryptography.
  • Enable you to deploy Vault in high-security GRC environments, such as PCI-DSS and HIPAA, where FIPS guidelines are important for external audits.
  • Provide a pathway to use Vault to manage Department of Defense or NATO military secrets.
  • Offer entropy augmentation that allows Vault to leverage the HSM to augment system entropy. With Entropy Augmentation enabled, the following keys and tokens leverage the configured external entropy source:
    • Master Key: AES key that is encrypted by the seal mechanism. This encrypts the key ring.
    • Key Ring Encryption Keys: The keys that encrypt all of Vault's storage embedded in the Vault keyring.
    • Recovery Key: With auto-unseal, use the recovery keys to regenerate the root token, key rotation, and so on.
    • TLS Private Keys: For HA leader, Raft, and Enterprise Replications.
    • MFA TOTP Keys: The keys used for TOTP in Vault Enterprise MFA
    • JWT Signing Keys: The keys used to sign wrapping token JWTs.
    • Root Tokens: Superuser tokens granting access to all operations in Vault.
    • DR Operation Tokens: Token that allows certain actions to be performed on a DR secondary.

The transit secrets engine manages several key types and leverages the keysutil package to generate keys. It uses the external entropy source for key generation.