Skip to main content
This document provides information regarding the configuration of the Futurex Vectera Plus HSM with HashiCorp Vault’s Managed Keys feature by using Futurex PKCS #11 libraries. For additional questions related to your HSM, see the relevant user guide.

Application description

From the HashiCorp Vault documentation website: Within certain environments, customers want to leverage key management systems external to Vault, when handling, storing, and interacting with private key material, or are required to do so by standards requirements. To satisfy these requirements, Vault has a centralized abstraction called Managed Keys that different secrets engines can plug into, enabling them to delegate these operations to a trusted external KMS. Minimally, a managed key consists of a named managed key entry managed by the sys/managed-key API. Besides a name, there are backend-specific configurations to access the key in question. For PKCS #11 (HSM) backed managed keys, the managed key configuration must reference a kms library stanza that points to a PKCS #11 access library on the host machine. Note that a configured, named managed key corresponds to a single key within a backend. You can configure more than one managed key targeting a single backend by creating multiple managed keys with the API.

Guardian integration

The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
  • Centralization of device management
  • Elimination of points of failure
  • Distribution of transaction loads
  • Group-specific function blocking
  • User-defined grouping systems
See the applicable guide in the Futurex Portal for configuring HSMs with the Guardian Series 3, including PKCS #11 and CNG configuration.