Automatic Unseal, Seal Wrap, and Entropy Augmentation
This document provides information regarding configuring Futurex HSMs with HashiCorp Vault using PKCS #11 libraries. For additional questions related to your HSM, see the relevant administrator’s guide.
Vault Enterprise integrates with Hardware Security Module (HSM) platforms to provide four pieces of special functionality:
Functionality
Description
Master Key Wrapping
Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares.
Automatic Unsealing
Vault stores its encrypted master key in storage, allowing for automatic unsealing
Seal Wrapping
Seal Wrapping to provide FIPS KeyStorage-conforming functionality for Critical Security Parameters
Entropy Augmentation
Allows Vault to leverage the HSM for augmenting system entropy
Vault creates two AES-256 keys on the HSM. One for encrypting and decrypting and the other for generating and verifying MACs.
In some large organizations, there is a fair amount of complexity in designating key officers, who might be available to unseal Vault installations as the most common pattern is to deploy Vault immutably. As such automating unseal using an HSM provides a simplified yet secure way of unsealing Vault nodes as they get deployed.
Vault pulls its encrypted master key from storage and transits it through the HSM for decryption via PKCS #11 API. Once the master key is decrypted, Vault uses the master key to decrypt the encryption key to resume with Vault operations.
Vault encrypts secrets using 256-bit AES in GCM mode with a randomly generated nonce prior to writing them to its persistent storage. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.
- Supports FIPS level of security equal to HSM
- For example, if you use Level 3 hardware encryption on an HSM, Vault will be using FIPS 140-2 Level 3 cryptography
- Allows Vault to be deployed in high security GRC environments (e.g. PCI-DSS, HIPAA) where FIPS guidelines important for external audits
- Pathway for Vault's use in managing Department of Defense's (DOD) or North Atlantic Treaty Organization (NATO) military secrets
Entropy Augmentation allows Vault to leverage the HSM for augmenting system entropy.
With Entropy Augmentation enabled, the following keys and tokens leverage the configured external entropy source.
Operation
Description
Master Key
AES key that is encrypted by the deal mechanism. This encrypts the key ring.
Key Ring Encryption Keys
The keys embedded in Vault's keyring which encrypt all of Vault's storage.
Recovery Key
With auto-unseal, use the recovery keys to regenerate root token, key rotation, etc.
TLS Private Keys
For HA leader, Raft and Enterprise Replications.
MFA TOTP Keys
The keys used for TOTP in Vault Enterprise MFA
JWT Signing Keys
The keys used to sign wraping token JWTs.
Root Tokens
Superuser tokens granting access to all operations in Vault.
DR Operation Tokens
Token that allows certain actions to be performed on a DR secondary.
The transit secrets engine manages a number of different key types and leverages the keysutil package to generate keys. It will use the external entropy source for key generation.
The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
- Centralize device management
- Eliminates points of failure
- Distribute transaction loads
- Group Specific function blocking
- User-defined grouping systems
Please see applicable guide for configuring HSMs with the Guardian Series 3.