Skip to content

Commit

Permalink
backport of commit bd35966 (#22662)
Browse files Browse the repository at this point in the history
Co-authored-by: Sarah Chavis <[email protected]>
  • Loading branch information
1 parent 978ee87 commit 7875651
Show file tree
Hide file tree
Showing 9 changed files with 89 additions and 16 deletions.
9 changes: 4 additions & 5 deletions website/content/docs/concepts/seal.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,6 @@ access to the root key shares.

## Auto unseal

-> **Note:** The Seal Wrap functionality is enabled by default. For this
reason, the seal provider (HSM or cloud KMS) must be available throughout
Vault's runtime and not just during the unseal process. Refer to the [Seal
Wrap](/vault/docs/enterprise/sealwrap) documentation for more information.

Auto Unseal was developed to aid in reducing the operational complexity of
keeping the unseal key secure. This feature delegates the responsibility of
securing the unseal key from users to a trusted device or service. At startup
Expand Down Expand Up @@ -175,6 +170,10 @@ authorized by meeting the threshold of recovery keys. After rekeying, the new
barrier key is wrapped by the HSM or KMS and stored like the previous key; it is not
returned to the users that submitted their recovery keys.

<EnterpriseAlert product="vault">
Seal wrapping requires Vault Enterprise
</EnterpriseAlert>

#### Recovery key

The recovery key can be rekeyed to change the number of shares/threshold or to
Expand Down
12 changes: 11 additions & 1 deletion website/content/docs/configuration/seal/alicloudkms.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,17 @@ description: >-

# `alicloudkms` seal

-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/vault/docs/enterprise/sealwrap) documenation for more information.
<Note title="Seal wrapping requires Vault Enterprise">

All Vault versions support **auto-unseal** for AliCloud, but **seal wrapping**
requires Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>


The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism.
Expand Down
12 changes: 11 additions & 1 deletion website/content/docs/configuration/seal/awskms.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,17 @@ description: |-

# `awskms` seal

-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/vault/docs/enterprise/sealwrap) documenation for more information.
<Note title="Seal wrapping requires Vault Enterprise">

All Vault versions support **auto-unseal** for AWS, but **seal wrapping**
requires Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>

The AWS KMS seal configures Vault to use AWS KMS as the seal wrapping mechanism.
The AWS KMS seal is activated by one of the following:
Expand Down
12 changes: 11 additions & 1 deletion website/content/docs/configuration/seal/azurekeyvault.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,17 @@ description: >-

# `azurekeyvault` seal

-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/vault/docs/enterprise/sealwrap) documenation for more information.
<Note title="Seal wrapping requires Vault Enterprise">

All Vault versions support **auto-unseal** for Azure Key Vault, but
**seal wrapping** requires Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>

The Azure Key Vault seal configures Vault to use Azure Key Vault as the seal
wrapping mechanism. The Azure Key Vault seal is activated by one of the following:
Expand Down
12 changes: 11 additions & 1 deletion website/content/docs/configuration/seal/gcpckms.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,17 @@ description: >-

# `gcpckms` seal

-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/vault/docs/enterprise/sealwrap) documenation for more information.
<Note title="Seal wrapping requires Vault Enterprise">

All Vault versions support **auto-unseal** for GCP Cloud, but **seal wrapping**
requires Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>

The GCP Cloud KMS seal configures Vault to use GCP Cloud KMS as the seal
wrapping mechanism. The GCP Cloud KMS seal is activated by one of the following:
Expand Down
11 changes: 6 additions & 5 deletions website/content/docs/configuration/seal/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,13 @@ root key. This stanza is optional, and in the case of the root key, Vault
will use the Shamir algorithm to cryptographically split the root key if this
is not configured.

As of Vault 0.9.0, the seal can also be used for [seal wrapping][sealwrap] to
add an extra layer of protection and satisfy compliance and regulatory requirements.
This feature is only available in Vault Enterprise.
## Seal wrapping <EnterpriseAlert inline="true" product="vault" />

For more examples, please choose a specific auto unsealing technology from the
sidebar.
The seal can also be used for seal wrapping to add an extra layer of protection
and satisfy compliance and regulatory requirements.

Seal wrap is enabled by default for Vault Enterprise. Refer to the
[Seal wrap](/vault/docs/enterprise/sealwrap) overview for more information.

## Configuration

Expand Down
12 changes: 11 additions & 1 deletion website/content/docs/configuration/seal/ocikms.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,17 @@ description: |-

# `ocikms` seal

-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, the KMS service must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/vault/docs/enterprise/sealwrap) documenation for more information.
<Note title="Seal wrapping requires Vault Enterprise">

All Vault versions support **auto-unseal** for OCI KMS, but **seal wrapping**
requires Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>

The OCI KMS seal configures Vault to use OCI KMS as the seal wrapping mechanism.
The OCI KMS seal is activated by one of the following:
Expand Down
12 changes: 11 additions & 1 deletion website/content/docs/configuration/seal/pkcs11.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,17 @@ description: |-

# `pkcs11` seal

-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, HSM must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/vault/docs/enterprise/sealwrap) documentation for more information.

<Note title="Auto-unseal and seal wrapping requires Vault Enterprise">

Auto-unseal **and** seal wrapping for PKCS11 require Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>

The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping
mechanism. Vault Enterprise's HSM PKCS11 support is activated by one of the
Expand Down
13 changes: 13 additions & 0 deletions website/content/docs/configuration/seal/transit.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,19 @@ description: |-

# `transit` seal


<Note title="Seal wrap functionality requires Vault Enterprise">

All Vault versions support **auto-unseal** for Transit, but **seal wrapping**
requires Vault Enterprise.

Vault Enterprise enables seal wrapping by default, which means the KMS service
must be available at runtime and not just during the unseal process. Refer to
the [Seal wrap](/vault/docs/enterprise/sealwrap) overview for more
information.

</Note>

The Transit seal configures Vault to use Vault's Transit Secret Engine as the
autoseal mechanism.
The Transit seal is activated by one of the following:
Expand Down

0 comments on commit 7875651

Please sign in to comment.