Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Integration with CipherTrust Manager

Activating HashiCorp Vault Enterprise's HSM support

search

Activating HashiCorp Vault Enterprise's HSM support

HashiCorp Vault Enterprise's HSM support is activated by one of the following:

  • The presence of an hsm block in HashiCorp Vault's configuration file.

  • Values set in the VAULT_HSM_LIB and VAULT_HSM_TYPE environment variables.

The key of the hsm block is the type of HSM:

hsm "pkcs11" {
...
}

The type can also be set by the VAULT_HSM_TYPE environment variable. Currently, only pkcs11 is supported.

The following are the block directives and their effects. All parameters are strings.

Required Directives

  • lib: Path to the PKCS#11 library shared object file. You can also specify this in VAULT_HSM_LIB environment variable.

  • slot: Slot number to be used. This should be specified as a string (for example, "0"). You can also specify this in VAULT_HSM_SLOT environment variable.

  • pin: Login PIN. You can also specify this in VAULT_HSM_PIN environment variable. If you set the PIN via the environment variable, HashiCorp Vault obfuscates the environment variable after reading it. In this case, you need to reset the environment variable, if HashiCorp Vault restarts.

  • key_label: Key label to be used. If key does not exist and generation is enabled, this is the label that will be allocated to the generated key. You can also specify this in VAULT_HSM_KEY_LABEL environment variable.

Optional Directive

  • mechanism: The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string.

    Note

    SafeNet ProtectApp PKCS#11 Provider does not support generate_key. Setting generate_key as "true" would lead to integration failure.

On this page