Rotating HashiCorp Vault Keys
The PKCS#11 seal supports rotating keys by using different key labels to track key versions.
To rotate the key value, generate a new key in a different key label in the HSM and update Vault's configuration with the new key label value. Restart your Vault instance to pick up the new key label and all new encryption operations will use the updated key label. Old keys must not be disabled or deleted as they are used to decrypt older data.
If rotation is desired for data that was seal wrapped prior to this version, set default_key_label and hmac_default_key_label to allow decryption of older values.
To rotate Vault Keys
-
Stop the Vault server from the terminal, if it is running.
-
Modify config.json in the following way:
#Entropy entropy "seal" { mode = "augmentation" } # PKCS #11 seal seal "PKCS #11" { lib = "<path to cryptoki library>" slot = "<slot number>" pin = "<partition password>" default_key_label="HashiCorp" key_label = "HashiCorp_rot" default_hmac_key_label = "HashiCorp_hmac" hmac_key_label = "HashiCorp_hmac_rot" generate_key = "true" } storage "file" { path = "/tmp/vault"The modifiable attributes of config.json are described after step 1 of Enabling the PKCS#11 Seal
-
Start Vault using the updated configuration file.
#./vault server -config config.json -
Launch a new terminal session and running the following command:
# export VAULT_ADDR='http://127.0.0.1:8200' -
Verify the Vault status and list the secrets.
# ./vault secrets list
-
Verify the keys generated in the partition by running the following ctkmu command on the host.
This completes the rotation of HashiCorp Vault keys using ProtectServer 3 HSM.
