Automatic Unseal, Seal Wrap, and Entropy Augmentation

this document provides information about configuring the kmes series 3 with hashicorp vault by using pkcs #11 libraries if you have other questions about your kmes series 3 device, see the relevant administrator guide application description vault enterprise integrates with hardware security module (hsm) platforms (such as the kmes series 3) to provide the following special functionality master key wrapping vault protects its master key by transiting it through the hsm for encryption rather than splitting it into key shares automatic unsealing vault stores its encrypted master key in storage, allowing for automatic unsealing seal wrapping seal wrapping provides fips keystorage conforming functionality for critical security parameters entropy augmentatio n enables vault to leverage the hsm for augmenting system entropy master key wrapping and automatic unsealing in some large organizations, designating key officers who must be available to unseal vault installations can be complex because the most common pattern is to deploy vault immutably thus, automating unseal by using an hsm provides a simplified yet secure way of unsealing vault nodes as you deploy them vault pulls its encrypted master key from storage and transits it through the hsm for decryption by using the pkcs #11 api after it decrypts the master key, vault uses the master key to decrypt the encryption key to resume vault operations seal wrapping vault encrypts secrets by using 256 bit aes in gcm mode with a randomly generated nonce before writing them to its persistent storage when you enable seal wrap, vault wraps your secrets with an extra layer of encryption, leveraging the hsm encryption and decryption benefits seal wrap has the following benefits conforms with fips 140 2 directives on key storage and key transport as certified by leidos https //www vaultproject io/docs/enterprise/sealwrap#fips 140 2 compliance supports fips level of security equal to hsm for example, if you use level 3 hardware encryption on an hsm, vault uses fips 140 2 level 3 cryptography enables you to deploy vault in high security governance, risk management, and compliance (grc) https //en wikipedia org/wiki/governance, risk management, and compliance environments (for example, pci dss, hipaa) where fips guidelines are important for external audits provides a pathway for using vault in managing department of defense's (dod) or north atlantic treaty organization (nato) military secrets entropy augmentation entropy augmentation enables vault to leverage the hsm for augmenting system entropy with entropy augmentation enabled, the following keys and tokens leverage the configured external entropy source operation description master key the aes key encrypted by the seal mechanism this key encrypts the key ring key ring encryption keys the keys that encrypt all of the vault storage are embedded in the vault keyring recovery key with auto unseal, use the recovery keys to regenerate the root token, key rotation, and so on tls private keys for ha leader, raft and enterprise replications mfa totp keys the keys used for time based, one time passwords (totp) in vault enterprise mfa jwt signing keys the keys used to sign wrapping token jwts root tokens superuser tokens granting access to all operations in vault dr operation tokens token that allows certain actions to be performed on a disaster recovery (dr) secondary the transit secrets engine manages several different key types and leverages the keysutil https //godoc org/github com/hashicorp/vault/sdk/helper/keysutil package to generate keys it uses the external entropy source for key generation integration overview to use automatic unseal, seal wrap, and entropy augmentation, you must perform the following tasks install futurex pkcs #11 configure the kmes series 3 edit the pkcs #11 configuration file configure the pkcs #11 library with vault the following sections describe how to perform these tasks