Breadcrumbs

Enable Entropy Augmentation

Entropy augmentation allows Vault Enterprise to supplement its system entropy with entropy from an external cryptography module. It is designed to operate in environments where alignment with cryptographic regulations like NIST SP800-90B is required or when augmented entropy from external sources, such as hardware true random number generators (TRNGs), replaces system entropy when performing random number operations on critical security parameters (CSPs).

  1. Add the following to the /etc/vault/config.hcl file.

# Configure Seal with Utimaco SecurityServer 
seal "pkcs11" {
 lib = "/opt/utimaco/lib/libcs_pkcs11_R3.so"
 slot = "<slot_no.>"
 pin = "<slot_PIN>"
 key_label = "hsm_demo"
 hmac_key_label = "demo"
 generate_key = "true"
}
# Vault configuration to use Utimaco PKCS#11 for entropy augmentation
entropy "seal" {
mode = "augmentation"
}

  1. Restart the Vault service.

# systemctl restart vault.service

  1. Log in to Vault using the Initial Root Token saved earlier.

# vault login <initial_root_token_vaule>

  1. Execute the following command to enable the transit secrets engine with an external entropy source using the -external-entropy-access flag.

# vault secrets enable -external-entropy-access transit
image-20250903-030927.png


Enable Entropy Augmentation

  1. List the enabled secrets engine with the -detailed flag.

# vault secrets list -detailed

Note that the External Entropy Access is set to true for transit/.

image-20250903-031131.png


List Enable Secrets Engine

  1. You can start using the transit secrets engine to encrypt your sensitive data. This engine leverages the HSM as its external entropy source. Now, create a new encryption key named "orders."

# vault write -f transit/keys/orders
image-20250903-031347.png


New Encryption

  1. Send a base64-encoded string to be encrypted by Vault.

# vault write transit/encrypt/orders plaintext=$(base64 <<< "4111 1111 
1111 1111")
image-20250903-031534.png


Base64-encoded String

  1. Now, verify that you can decrypt.

# vault write transit/decrypt/orders 
ciphertext=vault:v1:mBBYBUoICZ/igXKgkb9YPmWA+2b6upmZM1WqQEyiiiyGa6aq6bpqn0H
fqxpi89aJ
image-20250903-031730.png


Test Decrypt Operation

  1. Decode to get the original data.

# base64 --decode <<< NDExMSAxMTExIDExMTEgMTExMQo=4111 1111 1111 1111
image-20250903-032002.png

Decode Original Data