HashiCorp Certified: Vault Operations Professional 2022
Understand the Hardware Security Module HSM Integration
Section Overview Understand the Hardware Security Module HSM Integration
In this lesson, we’ll cover the key concepts of integrating a Hardware Security Module (HSM) with HashiCorp Vault. You’ll learn two primary features—Auto Unsealing and Seal Wrap—and understand how they enhance Vault’s security posture.
- Auto Unsealing with HSM: Enables Vault to decrypt its master key automatically using an HSM, eliminating manual unseal operations.
- Seal Wrap: Leverages the HSM to wrap and protect Vault’s storage encryption keys, ensuring data-at-rest remains secure.
Note
HashiCorp does not provide an HSM for certification candidates. If you have access to an on-premises or cloud-based HSM, follow the official Vault PKCS#11 seal documentation to configure auto unsealing and seal wrap.
This section is concise—just enough to grasp the exam topics and real-world deployment considerations. Next, we’ll dive into how Auto Unsealing works under the hood.
Quick Comparison: Auto Unsealing vs. Seal Wrap
Feature | Purpose | Typical Use Case |
---|---|---|
Auto Unsealing | Vault uses HSM to decrypt its master key automatically | Zero-downtime recovery and streamlined ops |
Seal Wrap | Wraps Vault’s data encryption keys inside the HSM’s secure boundary | Additional Layer of storage encryption |
Links and References
Watch Video
Watch video content