Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Integration with CipherTrust Manager

Activating HashiCorp Vault Enterprise's HSM support

search
printsuggest an editpdf paneldownload

Activating HashiCorp Vault Enterprise's HSM support

HashiCorp Vault Enterprise's HSM support is activated by one of the following:

  • The presence of an hsm block in HashiCorp Vault's configuration file.

  • Values set in the VAULT_HSM_LIB and VAULT_HSM_TYPE environment variables.

The key of the hsm block is the type of HSM:

hsm "pkcs11" {
...
}

The type can also be set by the VAULT_HSM_TYPE environment variable. Currently, only pkcs11 is supported.

The following are the block directives and their effects. All parameters are strings.

copy link to clipboardRequired Directives

  • lib: Path to the PKCS#11 library shared object file. You can also specify this in VAULT_HSM_LIB environment variable.

  • slot: Slot number to be used. This should be specified as a string (for example, "0"). You can also specify this in VAULT_HSM_SLOT environment variable.

  • pin: Login PIN. You can also specify this in VAULT_HSM_PIN environment variable. If you set the PIN via the environment variable, HashiCorp Vault obfuscates the environment variable after reading it. In this case, you need to reset the environment variable, if HashiCorp Vault restarts.

  • key_label: Key label to be used. If key does not exist and generation is enabled, this is the label that will be allocated to the generated key. You can also specify this in VAULT_HSM_KEY_LABEL environment variable.

copy link to clipboardOptional Directive

  • mechanism: The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string.

    Note

    SafeNet ProtectApp PKCS#11 Provider does not support generate_key. Setting generate_key as "true" would lead to integration failure.

On this page