Enable Entropy Augmentation | Utimaco Integration Guides

Entropy augmentation allows enclaive vHSM to supplement its system entropy with entropy from an external cryptographic hardware security module. This is designed for environments where compliance with cryptographic regulations such as NIST SP 800-90B is required, or where augmented entropy from external sources—such as hardware true random number generators (TRNGs)—is used to replace or enhance system entropy.

Update the ' /etc/vhsm/config ' file and add the following contents:

# Configure Seal with Utimaco u.trust GP HSM

seal "pkcs11" {

lib = "/opt/utimaco/lib/libcs_pkcs11_R3.so"

slot = "<slot_no.>"

pin = "<slot_PIN>"

key_label = "hsm_demo"

hmac_key_label = "demo"

generate_key = "true"

r3_config = "/opt/utimaco/cs_pkcs11_r3.cfg"

}

ui = true

disable_mlock = true

# Configure the storage backend

storage "file" {

path = "/etc/vhsm/data"

}

listener "tcp" {

address = "0.0.0.0:8200"

tls_disable = true

}

# vHSM configuration to use Utimaco u.trust GP HSM for entropy augmentation

entropy "seal" {
mode = "augmentation"
}

Update <slot_no.> and <slot_PIN> according to your setup in section 2025-0002 Create SO User and Initialize a Slot

Save the config file, then restart the vHSM service.

›_ Console

# docker restart <name-of-the-container>

›_ Console

# vhsm login <initial_root_token_value>

Execute the following command to enable transit secrets engine with external entropy source using the '-external-entropy-access' flag.

›_ Console

# vhsm secrets enable -external-entropy-access transit

List the enabled secrets engine with '-detailed' flag.

›_ Console

# vhsm secrets list detailed

Note that the External Entropy Access is set to true for transit.

You can start using the transit secrets engine to encrypt your sensitive data which leverages the HSM as its external entropy source. Now create a new encryption key named "orders".

›_ Console

# vhsm write -f transit/keys/orders