Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Integration with CipherTrust Manager

Configuring the HashiCorp Vault Server

search
printsuggest an edit

Configuring the HashiCorp Vault Server

A HashiCorp Vault server is configured using a configuration file. You need to manually create this file at a location on your client's machine. For example, /root/Vault.hcl).

The format of the configuration file can be HCL or JSON.

copy link to clipboardConfiguration Parameters

Set the following parameters in the configuration file:

  • storage (StorageBackend: <required>): Configures the storage backend where HashiCorp Vault data is stored. Refer to the storage backend documentation for the full list of the available storage backends.

    Running HashiCorp Vault in the HA mode requires coordination semantics to be supported by the backend. If the storage backend supports HA coordination, HA backend options can also be specified in this parameter block. If not, a separate ha_storage parameter should be configured with a backend that supports HA, with corresponding HA options.

  • listener (Listener: <required>): Configures how HashiCorp Vault listens for the API requests.

  • hsm (pkcs 11) parameters:

    • lib (string: <required>): Specifies the path to the PKCS#11 library.

    • slot (string: <slot or token label required>): Specify the slot number to use.

    • pin (string: <required>): Credential for HashiCorp Vault user created on the CipherTrust Manager, <cm_user:cm_user_password>.

      Note

      If the Credentials_Encrypted parameter in the IngrianNAE.properties file is set to "yes", then specify the obfuscated username and password here.

  • key_label (string: <required>): Specify the label for the key.

  • hmac_key_label (string: <required>): Specify the label for the key. This label is not required for CKM_AES_GCM.

  • mechanism (string: <best available>): Specify the encryption/decryption mechanism to be used. The mechanism is specified using a decimal or hexadecimal string (prefixed by 0x).

    Supported mechanisms are:

    • 0x1082 CKM_AES_CBC (selected by default)

    • 0x1087 CKM_AES_GCM

  • generate_key (string: "false"): Instructs HashiCorp Vault to generate a key when no key with the label "key_label" is found at HashiCorp Vault initialization time. This is a boolean expressed as a string (for example, "true").

    Note

    Currently, HashiCorp Vault supports only 256-bit HMAC keys.

copy link to clipboardSample Configuration File

A sample configuration file (Vault.hcl) with the HSM block filled out for the CipherTrust Manager is shown below:

[root@localhost vault]# cat Vault.hcl
backend "consul"
{
    address = "127.0.0.1:8500"
    path = "vault"
}
listener "tcp"
{
    address = "127.0.0.1:8200"
    tls_disable = 1
}
storage "file"
{
    path = "/tmp/data"
}
hsm "pkcs11"
{
    lib = "/opt/hashi/64/hsm/safenet/8.3.2/libIngPKCS11.so"
    slot = "1"
    pin = "KSUserName:KSUserPassword"
    key_label = "vaulttek"
    mechanism = "0x1087" #for CKM_AES_CBC, use “0x1082”
    generate_key = "false"
}

After configuring the HashiCorp Vault server, start the HashiCorp Vault server, as described in Starting the HashiCorp Vault Server.

On this page