This document describes how to store the HashiCorp Vault encryption key on a Thales Luna HSM or Luna Cloud HSM service and to leverage HSM for entropy augmentation. HashiCorp Vault Enterprise allows HSM support as a feature. It uses the HSM for:
- Master Key Wrapping: HashiCorp Vault protects its master key by transiting it through the HSM for encryption rather than splitting into key shares.
- Automatic Unsealing: HashiCorp Vault stores its HSM-wrapped master key in storage, allowing for automatic unsealing.
- Seal Wrapping: Provides FIPS key storage conforming functionality for critical security parameters.
- Entropy Augmentation: HashiCorp Vault leverages HSM for augmenting system entropy via the PKCS#11 protocol.
The benefits of securing the keys with Luna HSMs include:
- Secure generation, storage and protection of the encryption keys on FIPS 140-2 level 3 validated hardware.
- Full life cycle management of the keys.
- Access to the HSM audit trail*.
- Take advantage of cloud services with confidence.