scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Seal wrap updates (#28910)

Browse Source 
Update docs as part of [SPE-1019](https://hashicorp.atlassian.net/browse/SPE-1019)

- Add a benefits section from archived tutorial
- Add a tip about Vault generated HSM key
This commit is contained in:
Brian Shumate
2024-11-18 10:19:57 -05:00
committed by GitHub
parent ccb8698624
commit a54d787812
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
website/content/docs/enterprise/sealwrap.mdx
View File

@@ -19,6 +19,19 @@ To use this feature, you must have an active or trial license for Vault
Enterprise Plus (HSMs). To start a trial, contact [HashiCorp
sales](mailto:sales@hashicorp.com).
## Seal Wrap benefits
Your Vault deployments can gain the following benefits by enabling seal wrapping:
- Conformance with FIPS 140-2 directives on Key Storage and Key Transport as [certified by Leidos](/vault/docs/enterprise/sealwrap#fips-140-2-compliance)
- Supports FIPS level of security equal to HSM
- For example, if you use Level 3 hardware encryption on an HSM, Vault will be
using FIPS 140-2 Level 3 cryptography
- Enables Vault deployments in high security [GRC](https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance)
environments (e.g. PCI-DSS, HIPAA) where FIPS guidelines important for external audits
- Pathway to use Vault for managing Department of Defense (DOD) or North
Atlantic Treaty Organization (NATO) military secrets
## Enabling/Disabling
Seal Wrap is enabled by default on supporting seals. This implies that the seal
@@ -27,6 +40,12 @@ quite reliable, but, for instance, if using an HSM in a non-HA setup a
connection interruption to the HSM will result in issues with Vault
functionality.
<Tip>
Having Vault generate its own key is the easiest way to get up and running, but for security, Vault marks the key as non-exportable. If your HSM key backup strategy requires the key to be exportable, you should generate the key yourself. Refer to the [key generation attributes](/vault/docs/configuration/seal/pkcs11#vault-key-generation-attributes).
</Tip>
To disable seal wrapping, set `disable_sealwrap = true` in Vault's
[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's
root key will still be protected by the seal wrapping mechanism. It will