upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-18 18:38:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Be a bit more explicit about the need for two seals. (#23553)

Browse source 
* Be a bit more explicit about th need for two seals

* Add a mixture note
This commit is contained in:
Scott Miller 2023-10-06 11:29:17 -05:00 committed by GitHub
parent 5bf40c6e2d
commit ebef296c30
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
website/content/docs/concepts/seal.mdx
View file

@ -324,12 +324,17 @@ be used in production deployments of Vault.
Seal High Availability (Seal HA) allows the configuration of more than one auto
seal mechanism such that Vault can tolerate the temporary loss of a seal service
or device for a time. With Seal HA Vault can also start up and unseal if one of the
or device for a time. With Seal HA configured with at least two and no more than
three auto seals, Vault can also start up and unseal if one of the
configured seals is still available (though Vault will remain in a degraded mode in
this case). While seals are unavailable, seal wrapping and entropy augmentation can
still occur using the remaining seals, and values produced while a seal is down will
be re-wrapped with all the seals when all seals become healthy again.
An operator should choose two seals that are unlikely to become unavailable at the
same time. For example, they may choose KMS keys in two cloud regions, from
two different providers; or a mix of HSM, KMS, or Transit seals.
When an operator configures an additional seal or removes a seal (one at a time)
and restarts Vault, Vault will automatically detect that it needs to re-wrap
CSPs and seal wrapped values, and will start the process. Seal re-wrapping can

4
website/content/docs/configuration/seal/seal-ha.mdx
View file

@ -12,8 +12,8 @@ description: |-
@include 'alerts/beta.mdx'
[Seal High Availability](/vault/docs/concepts/seal#seal-high-availability-enterprise-beta)
is the ability to configure more than one seal in order to have resilience against
outage of a seal service or mechanism.
provides the means to configure at least two auto-seals (and no more than three)
in order to have resilience against outage of a seal service or mechanism.
Using Seal HA involves configuring extra seals in Vault's server configuration file
and restarting Vault, after having enabled the Seal HA beta feature by setting