diff --git a/website/source/docs/configuration/index.html.md b/website/source/docs/configuration/index.html.md index 8587d3051d..f36ca109aa 100644 --- a/website/source/docs/configuration/index.html.md +++ b/website/source/docs/configuration/index.html.md @@ -96,9 +96,9 @@ to specify where the configuration is. LimitMEMLOCK=infinity ``` -- `disable_sealwrap` `(bool: false)` – Disables using seal wrapping for any - value except the master key. If this value is toggled, the new behavior will - happen lazily (as values are read or written). +- `disable_sealwrap` `(bool: false)` – Disables using [seal wrapping][sealwrap] + for any value except the master key. If this value is toggled, the new + behavior will happen lazily (as values are read or written). - `plugin_directory` `(string: "")` – A directory from which plugins are allowed to be loaded. Vault must have permission to read files in this diff --git a/website/source/docs/enterprise/sealwrap/index.html.md b/website/source/docs/enterprise/sealwrap/index.html.md index 9a3425d204..e53e56e17d 100644 --- a/website/source/docs/enterprise/sealwrap/index.html.md +++ b/website/source/docs/enterprise/sealwrap/index.html.md @@ -20,21 +20,21 @@ sales](mailto:sales@hashicorp.com). ## Enabling/Disabling -Seal Wrapping is enabled by default on supporting seals. This implies that the -seal must be available throughout Vault's runtime. Most cloud-based seals -should be quite reliable, but, for instance, if using an HSM in a non-HA setup -a connection interruption to the HSM will result in issues with Vault +Seal Wrap is enabled by default on supporting seals. This implies that the seal +must be available throughout Vault's runtime. Most cloud-based seals should be +quite reliable, but, for instance, if using an HSM in a non-HA setup a +connection interruption to the HSM will result in issues with Vault functionality. To disable seal wrapping, set `disable_sealwrap = true` in Vault's -configuration file. This will not affect auto-unsealing functionality; Vault's +[configuration file][configuration]. This will not affect auto-unsealing functionality; Vault's master key will still be protected by the seal wrapping mechanism. It will simply prevent other storage entries within Vault from being seal wrapped. *N.B.*: This is a lazy downgrade; as keys are accessed or written their seal wrapping status will change. Similarly, if the flag is removed, it will be a -lazy upgrade (which is the case when initially upgrading to a Seal Wrap -supporting version of Vault). +lazy upgrade (which is the case when initially upgrading to a seal +wrap-supporting version of Vault). ## FIPS 140-2 Compliance @@ -106,3 +106,5 @@ replication traffic; in the meantime, a transparent TCP proxy that supports certified FIPS 140-2 TLS (such as [stunnel](https://www.stunnel.org/index.html)) can be used for replication traffic if meeting KeyTransit requirements for replication is necessary. + +[configuration]: /docs/configuration/index.html