Benefits and Use Cases of Seal Wrapping

HashiCorp Vault encrypts data at rest with AES-256, but seal wrapping adds a second layer of encryption using an HSM for FIPS 140-2 compliance. This “double encryption” ensures data is encrypted first by Vault’s master key, then again by the HSM’s key.

FIPS Certified Binaries

As of Vault 1.10.3, HashiCorp publishes FIPS-certified binaries suffixed with -fips that do not require an HSM.

The image explains "Seal Wrapping," a method for providing double encryption and FIPS 140-2 compliance by integrating with an HSM, allowing Vault to be used in high-security environments. It also notes that HashiCorp offers Vault binaries for FIPS compliance without HSM integration starting from version 1.10.3.

What Is Seal Wrapping?

Seal wrapping encrypts Vault’s ciphertext a second time with HSM-managed keys, enabling Vault in high-security environments (PCI, HIPAA, DoD, NATO).

By combining:

AES-256 encryption by Vault’s master key
Secondary HSM encryption

Vault achieves FIPS 140-2 Level 3 compliance when paired with a Level 3 HSM.

Default Seal-Wrapped Data

Vault seal-wraps the most sensitive assets by default:

The image is a slide titled "What is Seal Wrapped by Default?" listing items such as Recovery Key, Any stored key shares, The root key, and The keyring. It includes a Vault certification badge.

Resource	Description
Recovery Key	Master recovery key shares
Stored Shares	All encrypted key shares
Root Key	Primary root token key
Keyring	Internal cryptographic keyring

Configuring Seal Wrapping

Seal wrapping is on by default for supported HSM seals. To disable it (trading security for a slight performance boost):

# vault.hcl
disable_sealwrap = true

Warning

Disabling seal wrapping reduces your security posture. Only disable if HSM double-encryption is not required.

The image is a slide discussing enabling seal wrapping in Vault, with bullet points explaining its default status, configuration options, and benefits for backend mounts. It includes a Vault certification badge and a cartoon character illustration.

Enabling Seal Wrapping on a Secrets Engine

When mounting a secrets engine, enable HSM seal wrapping with -seal-wrap (CLI) or seal_wrap = true (HCL):

# Enable KV secrets engine with HSM seal wrapping
vault secrets enable -seal-wrap kv

# Verify enabled secrets engines
vault secrets list -detailed

Path	Plugin	Seal Wrap
cubbyhole/	cubbyhole	false
identity/	identity	false
kv/	kv	true

Conclusion

Seal wrapping is key for high-security Vault deployments requiring FIPS 140-2 Level 3 compliance with an HSM or when using HashiCorp’s FIPS-certified binaries. It ensures that Vault’s most critical secrets remain protected under dual encryption.

References

Watch Video

Watch video content