Vault Enterprise features a mechanism to sample entropy (or randomness for cryptographic operations) from external cryptographic modules via the seals interface. While the system entropy used by Vault is more than capable of operating in most threat models, there are some situations where additional entropy from hardware-based random number generators is desirable.

To use this feature, you must have an active or trial license for Vault Enterprise. To start a trial, contact HashiCorp sales.

Critical Security Parameters (CSPs)

Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module. Designed to operate in environments where alignment with cryptographic regulations like NIST SP800-90B is required or when augmented entropy from external sources such as hardware true random number generators (TRNGs) or quantum computing TRNGs are desirable, augmented entropy replaces system entropy when performing random number operations on critical security parameters (CSPs).

These CSPs have been selected from our previous work in evaluating Vault for conformance with FIPS 140-2 guidelines for key storage and key transport and include the following:

• Vault’s master key
• Keyring encryption keys
• Auto Unseal recovery keys
• TLS private keys for inter-node and inter cluster communication (HA leader, raft, and replication)
• Enterprise MFA TOTP token keys
• JWT token wrapping keys
• Root tokens
• DR operation tokens
• Transit backend key generation

Enabling/Disabling

Entropy augmentation is disabled by default. To enable entropy augmentation Vault's configuration file must include a properly configured entropy and seal stanza for a supported seal type.

Learn

Refer to the HSM Integration - Entropy Augmentation guide for a step-by-step tutorial.