HashiCorp Vault with Thales Luna HSMs - Integration Guide

HashiCorp Vault with Thales Luna HSMs - Integration Guide

This document describes how to store the HashiCorp Vault encryption key on a Thales Luna HSM or Luna Cloud HSM service and to leverage HSM for entropy augmentation. HashiCorp Vault Enterprise allows HSM support as a feature. It uses the HSM for:

  • Master Key Wrapping: HashiCorp Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares.
  • Automatic Unsealing: HashiCorp Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing.
  • Seal Wrapping: Provides FIPS key storage conforming functionality for critical security parameters.
  • Entropy Augmentation: HashiCorp Vault leverages HSM for augmenting system entropy via the PKCS#11 protocol.

The benefits of securing the keys with Luna HSMs include:

  • Secure generation, storage and protection of the encryption keys on FIPS 140-2 level 3 validated hardware.
  • Full life cycle management of the keys.
  • Access to the HSM audit trail*.
  • Take advantage of cloud services with confidence.