Skip to main content
HashiCorp Vault encrypts data at rest with AES-256, but seal wrapping adds a second layer of encryption using an HSM for FIPS 140-2 compliance. This “double encryption” ensures data is encrypted first by Vault’s master key, then again by the HSM’s key.
As of Vault 1.10.3, HashiCorp publishes FIPS-certified binaries suffixed with -fips that do not require an HSM.
The image explains "Seal Wrapping," a method for providing double encryption and FIPS 140-2 compliance by integrating with an HSM, allowing Vault to be used in high-security environments. It also notes that HashiCorp offers Vault binaries for FIPS compliance without HSM integration starting from version 1.10.3.

What Is Seal Wrapping?

Seal wrapping encrypts Vault’s ciphertext a second time with HSM-managed keys, enabling Vault in high-security environments (PCI, HIPAA, DoD, NATO). By combining:
  • AES-256 encryption by Vault’s master key
  • Secondary HSM encryption
Vault achieves FIPS 140-2 Level 3 compliance when paired with a Level 3 HSM.

Default Seal-Wrapped Data

Vault seal-wraps the most sensitive assets by default:
The image is a slide titled "What is Seal Wrapped by Default?" listing items such as Recovery Key, Any stored key shares, The root key, and The keyring. It includes a Vault certification badge.
ResourceDescription
Recovery KeyMaster recovery key shares
Stored SharesAll encrypted key shares
Root KeyPrimary root token key
KeyringInternal cryptographic keyring

Configuring Seal Wrapping

Seal wrapping is on by default for supported HSM seals. To disable it (trading security for a slight performance boost): 
# vault.hcl
disable_sealwrap = true
Disabling seal wrapping reduces your security posture. Only disable if HSM double-encryption is not required.
The image is a slide discussing enabling seal wrapping in Vault, with bullet points explaining its default status, configuration options, and benefits for backend mounts. It includes a Vault certification badge and a cartoon character illustration.

Enabling Seal Wrapping on a Secrets Engine

When mounting a secrets engine, enable HSM seal wrapping with -seal-wrap (CLI) or seal_wrap = true (HCL): 
# Enable KV secrets engine with HSM seal wrapping
vault secrets enable -seal-wrap kv

# Verify enabled secrets engines
vault secrets list -detailed
PathPluginSeal Wrap
cubbyhole/cubbyholefalse
identity/identityfalse
kv/kvtrue

Conclusion

Seal wrapping is key for high-security Vault deployments requiring FIPS 140-2 Level 3 compliance with an HSM or when using HashiCorp’s FIPS-certified binaries. It ensures that Vault’s most critical secrets remain protected under dual encryption.

References

Watch Video