HSM integration - entropy augmentation
Seal Wrap handles the root key wrapping, automatic unsealing and seal wrapping functionalities provided by integrating Vault with a Hardware Security Module (HSM).
Enterprise Only
This tutorial focuses on the Entropy Augmentation feature which requires Vault Enterprise Plus license.
Challenge
Critical to any cryptographic system is its entropy, the randomness of the pseudorandom number generator (or PRNG) used for generating random numbers used in cryptographic operations such as key creation and encryption.
In Vault, random number generation occurs at the operating system level and varies depending on where Vault is running (Linux, Windows, BSD, or WebAssembly). These different PRNGs use different underlying sources of entropy; therefore, different levels of randomness when generating random numbers.
If an organization must conform to entropy requirements which are often dictated by standards such as FIPS 140-2, the Vault Enterprise admins have no control over how the OS generates random numbers.
Solution
Vault Enterprise version 1.3 introduced the Entropy Augmentation function to leverage an external Hardware Security Module (HSM) for augmenting system entropy via the PKCS#11 protocol.
With Entropy Augmentation enabled, the following keys and tokens leverage the configured external entropy source.
Operation | Description |
---|---|
Root Key | AES key that is encrypted by the seal mechanism. This encrypts the key ring. |
Key Ring Encryption Keys | The keys embedded in Vault's keyring which encrypt all of Vault's storage. |
Recovery Key | With auto-unseal, use the recovery keys to regenerate root token, key rotation, etc. |
TLS Private Keys | For HA leader, Raft and Enterprise Replications. |
MFA TOTP Keys | The keys used for TOTP in Vault Enterprise MFA |
JWT Signing Keys | The keys used to sign wrapping token JWTs. |
Root Tokens | Superuser tokens granting access to all operations in Vault. |
DR Operation Tokens | Token that allows certain actions to be performed on a DR secondary. |
The transit secrets engine manages a number of different key types and
leverages the
keysutil
package to generate keys. It will use the external entropy source for key
generation.
Prerequisites
This intermediate operations tutorial assumes that you have:
- A supported HSM cluster to be integrated with Vault
- Vault Enterprise version 1.3 or later
Step 1: Configure HSM Integration
When a Vault server is started, it normally starts in a sealed state where a quorum of existing unseal keys is required to unseal it. By integrating Vault with HSM, your Vault server can be automatically unsealed by the trusted HSM key provider.
To enable Entropy Augmentation, define the
entropy
stanza in your server configuration file. Since Vault will delegate the random number generation to an HSM, be sure to set theseal
stanza with your HSM cluster connection information.Example:
config-hsm.hcl
Warning
Although the listener stanza disables TLS for this tutorial, Vault should always be used with TLS in production to provide secure communication between clients and the Vault server. It requires a certificate file and key file on each Vault host.
If you are using systemd, the
ExecStart
parameter should point to the correct location of your configuration file. For example, if your configuration file is located at/etc/vault.d/config-hsm.hcl
, thevault.service
file may look as follow.Example:
/etc/systemd/system/vault.service
Start the Vault server.
Example:
To start the Vault server from the command line, execute the following command.
Else if starting the Vault server as a service, first enable the
vault
service.Use the
systemctl
to start the Vault server as a service.Set the VAULT_ADDR environment variable.
Initialize the Vault server.
When Vault is initialized while using an HSM, rather than unseal keys being returned to the operator, recovery keys are returned. These are generated from an internal recovery key that is split via Shamir's Secret Sharing, similar to Vault's treatment of unseal keys when running without an HSM. Some Vault operations such as generation of a root token require these recovery keys.
Check to verify that the Vault server is now initialized and auto-unsealed.
Login to the Vault using the generated root token.
Step 2: Enable Entropy Augmentation
To leverage the external entropy source, set the external_entropy_access
parameter to true
when you enable a secrets engine or auth method.
In this step, you are going to enable external entropy source on a transit secrets engine.
Execute the following command to enable
transit
secrets engine with external entropy source using the-external-entropy-access
flag.List the enabled secrets engine with
-detailed
flag.Notice that the External Entropy Access is set to
true
fortransit/
.You can start using the
transit
secrets engine to encrypt your sensitive data which leverages the HSM as its external entropy source. Regardless, the user experience remains the same as before.Example:
Create a new encryption key named, "orders".
Send a base64-encoded string to be encrypted by Vault.
Now, test to verify that you can decrypt.
Decode to get the original data.
Important Note
When the external entropy access is enabled, the connectivity to the HSM is
required. If the HSM becomes unreachable for any reason, the transit
secrets
engine will fail to generate new keys or rotate the existing keys.