After you install the CyberArk Vault and start it successfully, you can generate a new Server key on the CryptoHub. The Server Key is the key used toopen the Vault, much like the key of a physical Vault. You need the key to start the Vault, and then you can remove the Server key until you need to restart the Server. When you stop the Vault, the information stored in the Vault is completely inaccessible without that key.Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
Configure Vault initially
Perform the following steps to configure Vault for the first time:To use a CryptoHub that is attached to the network, configure the Firewall to allow communication to the CryptoHub device. In
DBParm.ini, configure the AllowNonStandardFWAddresses parameter to open the Firewall and allow access to the CryptoHub device, as shown in the following example:Text
Configure the PKCS #11 provider DLL and specify it in the PKCS11ProviderPath parameter in
DBParm.ini, as shown in the following example:Text
Define the PIN or passphrase to be used by the Vault when accessing the CryptoHub. From a command line, run the following command, specifying your own PIN or passcode for accessing the Server key. The PIN or passcode cannot begin with a forward slash (/):Open
The
hsmpincode you pass into the command below must be the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.Text
DBParm.ini and make sure that you added the HSMPinCode parameter with the encrypted value of the PIN or passcode.Load the server key into the CryptoHub
The following process installs and stores the Server key in CryptoHub. After this process completes, the Server key is stored as non-exportable key on the CryptoHub and the Vault can use it.Generate the server key on the CryptoHub
Perform the following steps to generate the server key on the CryptoHub:Run the CAVaultManager command to generate the server key on the CryptoHub:This command generates a new key for the Vault server and stores it in the CryptoHub device, returning the key generation keyword (such as HSM#5).Each time you create a key generation, the keyword allocated is one number higher than the current server key generation specified in
Text
DBParm.ini. To successfully create additional key generations, you must manually delete the first generation of the server key; otherwise, an error is returned. If the ServerKey parameter in the CAVaultManager command specifies a path instead of a CryptoHub keyword, the first key generation is created (such as HSM#1).Re-encrypt the Vault data and metadata with the newly generated keys in CryptoHub.
- Run the ChangeServerKeys command to change the encryption keys used for the Vault server.
Open
DBParm.ini and, in the ServerKey parameter, specify the value of the key generation version generated and specified in the output of the preceding CAVaultManager command, as shown in the following example.Text