HashiCorp Certified: Vault Operations Professional 2022

Understand the Hardware Security Module HSM Integration

Section Overview Understand the Hardware Security Module HSM Integration

In this lesson, we’ll cover the key concepts of integrating a Hardware Security Module (HSM) with HashiCorp Vault. You’ll learn two primary features—Auto Unsealing and Seal Wrap—and understand how they enhance Vault’s security posture.

  • Auto Unsealing with HSM: Enables Vault to decrypt its master key automatically using an HSM, eliminating manual unseal operations.
  • Seal Wrap: Leverages the HSM to wrap and protect Vault’s storage encryption keys, ensuring data-at-rest remains secure.

Note

HashiCorp does not provide an HSM for certification candidates. If you have access to an on-premises or cloud-based HSM, follow the official Vault PKCS#11 seal documentation to configure auto unsealing and seal wrap.

The image is a section overview slide about Hardware Security Module (HSM) integration, focusing on auto unsealing and seal wrap benefits. It includes a certification badge and a cartoon character illustration.

This section is concise—just enough to grasp the exam topics and real-world deployment considerations. Next, we’ll dive into how Auto Unsealing works under the hood.


Quick Comparison: Auto Unsealing vs. Seal Wrap

FeaturePurposeTypical Use Case
Auto UnsealingVault uses HSM to decrypt its master key automaticallyZero-downtime recovery and streamlined ops
Seal WrapWraps Vault’s data encryption keys inside the HSM’s secure boundaryAdditional Layer of storage encryption

Watch Video

Watch video content

Previous
Demo Promote a Secondary Cluster