Skip to main content
This document provides information about using Futurex PKCS #11 libraries to configure the KMES Series 3 with the HashiCorp Vault Managed Keys feature. For other questions about your KMES Series 3, see the KMES Series 3 user guide.

Application description

From the HashiCorp Vault documentation website: Within certain environments, you might want or need to leverage key management systems external to Vault when handling, storing, and interacting with private key material. To satisfy these requirements, Vault has a centralized abstraction calledmanaged keys**.** Different secrets engines can plug into this feature to delegate these operations to a trusted external KMS. At a minimum, a managed key consists of a named managed-key entry handled by the sys/managed-key API (www.vaultproject.io/api-docs/system/managed-keys). Besides a name, a managed keys has backend-specific configurations to access the key in question. For PKCS #11 (HSM) backed managed keys, the managed key configuration must reference a kms library stanza (www.vaultproject.io/docs/configuration/kms-library) that points to a PKCS #11 access library on the host machine. Note that a configured, named managed key corresponds to a single key within a backend. You can configure more than one managed key to target a single backend by creating multiple managed keys with the API.

Integration overview

To use the HashiCorp Managed Keys feature with the KMES Series 3, you must perform the following tasks:
  1. Install Futurex PKCS #11.
  2. Configure the KMES Series 3.
  3. Edit the Futurex PKCS #11 configuration file.
  4. Configure the Futurex PKCS #11 library with HashiCorp Vault.
  5. Test PKI operations.
The following sections describe how to perform these tasks.