Entropy augmentation
Appropriate Vault Enterprise license required
Warning
Entropy augmentation is not available with "FIPS 140-2 Inside" variants of Vault.Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules via the seals interface. While the system entropy used by Vault is more than capable of operating in most threat models, there are some situations where additional entropy from hardware-based random number generators is desirable.
With Entropy Augmentation enabled, the following keys and tokens leverage the configured external entropy source.
Operation | Description |
---|---|
Root Key | AES key that is encrypted by the seal mechanism. This encrypts the key ring. |
Key Ring Encryption Keys | The keys embedded in Vault's keyring which encrypt all of Vault's storage. |
Recovery Key | With auto-unseal, use the recovery keys to regenerate root token, key rotation, etc. |
TLS Private Keys | For HA leader, Raft and Enterprise Replications. |
MFA TOTP Keys | The keys used for TOTP in Vault Enterprise MFA |
JWT Signing Keys | The keys used to sign wrapping token JWTs. |
Root Tokens | Superuser tokens granting access to all operations in Vault. |
DR Operation Tokens | Token that allows certain actions to be performed on a DR secondary. |
The transit secrets engine manages a number of
different key types and leverages the
keysutil
package to generate keys. It will use the external entropy source for key
generation.
Warning
When you enable the external entropy source, Vault requires connectivity to the HSM. If the HSM becomes unreachable for any reason, the transit secrets engine can't generate new keys or rotate existing keys.
To use this feature, you must have an active or trial license for Vault Enterprise. To start a trial, contact HashiCorp sales.
Critical security parameters (CSPs)
Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module. Designed to operate in environments where alignment with cryptographic regulations like NIST SP800-90B is required or when augmented entropy from external sources such as hardware true random number generators (TRNGs) or quantum computing TRNGs are desirable, augmented entropy replaces system entropy when performing random number operations on critical security parameters (CSPs).
These CSPs have been selected from our previous work in evaluating Vault for conformance with FIPS 140-2 guidelines for key storage and key transport and include (but not limited to) the following:
- Vault's root key
- Keyring encryption keys
- Auto Unseal recovery keys
- TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
- Enterprise MFA TOTP token keys
- JWT token wrapping keys
- Root tokens
- DR operation tokens
- Transit backend key generation and
/random
endpoint (/random
only on Vault 1.11+) - PKI issuer key generation, but not for leaf certificate private keys
/sys/tools/random
endpoint (Vault 1.11+)- SSH CA key generation, but not for key pair generation
- KMIP uses EA for its TLS CA, server, and client certificates.
- TOTP two factor keys.
Enabling/Disabling
Entropy augmentation is disabled by default. To enable entropy augmentation Vault's configuration file must include a properly configured entropy and seal stanza for a supported seal type.