You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Your Vault deployments can gain the following benefits by enabling seal wrapping:
25
+
26
+
- Conformance with FIPS 140-2 directives on Key Storage and Key Transport as [certified by Leidos](/vault/docs/enterprise/sealwrap#fips-140-2-compliance)
27
+
- Supports FIPS level of security equal to HSM
28
+
- For example, if you use Level 3 hardware encryption on an HSM, Vault will be
29
+
using FIPS 140-2 Level 3 cryptography
30
+
- Enables Vault deployments in high security [GRC](https://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance)
31
+
environments (e.g. PCI-DSS, HIPAA) where FIPS guidelines important for external audits
32
+
- Pathway to use Vault for managing Department of Defense (DOD) or North
33
+
Atlantic Treaty Organization (NATO) military secrets
34
+
22
35
## Enabling/Disabling
23
36
24
37
Seal Wrap is enabled by default on supporting seals. This implies that the seal
@@ -27,6 +40,12 @@ quite reliable, but, for instance, if using an HSM in a non-HA setup a
27
40
connection interruption to the HSM will result in issues with Vault
28
41
functionality.
29
42
43
+
<Tip>
44
+
45
+
Having Vault generate its own key is the easiest way to get up and running, but for security, Vault marks the key as non-exportable. If your HSM key backup strategy requires the key to be exportable, you should generate the key yourself. Refer to the [key generation attributes](/vault/docs/configuration/seal/pkcs11#vault-key-generation-attributes).
46
+
47
+
</Tip>
48
+
30
49
To disable seal wrapping, set `disable_sealwrap = true` in Vault's
31
50
[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's
32
51
root key will still be protected by the seal wrapping mechanism. It will
0 commit comments