Vault
kms_library stanza
The kms_library
stanza isolates platform specific configuration for managed keys.
It defines logical names that are referenced within an API configuration keeping cluster
and node specific details separated along with deployment concerns for each.
At the moment managed keys are only available as a feature set within Vault Enterprise HSM edition.
Requirements
The following software packages are required for Vault Enterprise HSM:
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
- The GNU libltdl library ā ensure that it is installed for the correct architecture of your servers
Configuration
Multiple kms_library stanza's can be defined with the only limitation that the value for the name key needs to be a unique value across all the stanza definitions in a case-insensitive manner.
The type argument only supports "pkcs11" at the moment.
Example kms_library
stanza:
kms_library [TYPE] {
name = "<logical name>"
# ...
}
pkcs11
parameters
These parameters apply to the kms_library
stanza of type pkcs11
in the Vault configuration file:
name
(string: <required>)
: The logical name to be referenced by a managed keylibrary
(string: <required>)
: The path to the PKCS#11 library shared object file.
For example:
kms_library "pkcs11" {
name = "hsm1"
library = "/usr/lib/Cryptoki.so"
}