Skip to main content
In this lesson, we’ll cover the key concepts of integrating a Hardware Security Module (HSM) with HashiCorp Vault. You’ll learn two primary features—Auto Unsealing and Seal Wrap—and understand how they enhance Vault’s security posture.
  • Auto Unsealing with HSM: Enables Vault to decrypt its master key automatically using an HSM, eliminating manual unseal operations.
  • Seal Wrap: Leverages the HSM to wrap and protect Vault’s storage encryption keys, ensuring data-at-rest remains secure.
HashiCorp does not provide an HSM for certification candidates. If you have access to an on-premises or cloud-based HSM, follow the official Vault PKCS#11 seal documentation to configure auto unsealing and seal wrap.
The image is a section overview slide about Hardware Security Module (HSM) integration, focusing on auto unsealing and seal wrap benefits. It includes a certification badge and a cartoon character illustration.
This section is concise—just enough to grasp the exam topics and real-world deployment considerations. Next, we’ll dive into how Auto Unsealing works under the hood.

Quick Comparison: Auto Unsealing vs. Seal Wrap

FeaturePurposeTypical Use Case
Auto UnsealingVault uses HSM to decrypt its master key automaticallyZero-downtime recovery and streamlined ops
Seal WrapWraps Vault’s data encryption keys inside the HSM’s secure boundaryAdditional Layer of storage encryption

Watch Video