Install and configure HashiCorp Vault
Perform the tasks in this section to install and configure Vault:
The Vault HSM Managed Keys feature requires Vault Enterprise with the Advanced Data Protection Module.
Download precompiled Vault binaries at https://releases.hashicorp.com/vault/, and download Vault Enterprise binaries by following the instructions available to HashiCorp Vault customers.
This integration requires the Vault Enterprise HSM binary, version 1.10 or later. You can use the following link for testing: https://releases.hashicorp.com/vault/1.10.0+ent.hsm/
Unzip the downloaded package and move the vault binary to /usr/local/bin/.
Set the owner of the Vault binary.
Ensure that vault is available on the system path.
Verify the Vault version.
The vault command features opt-in autocompletion for flags, subcommands, and arguments (where supported). Install autocompletion by using the following command.
Enable autocompletion.
Enable Vault to use the mlock syscall without running the process as root. The mlock syscall prevents memory from being swapped to disk.
Create a unique, non-privileged system user to run Vault.
Systemd uses documented sane defaults, so you must set only non-default values in the configuration file.
Create a Vault service file in /etc/systemd/system/vault.service.
Add the following configuration details to the Vault service file:
Vault uses documented sane defaults, so you must set only non-default values in the configuration file.
Create /etc/vault.d directory.
Create a Vault configuration file, vault.hcl.
Set the ownership of the /etc/vault.d directory.
Set the required file permissions.
The kms_library stanza isolates platform-specific configurations for managed keys. It defines logical names referenced within an API configuration, keeping separated cluster and node-specific details and deployment concerns for each.
To support the Managed Keys feature by integrating the Vault Enterprise server with an HSM, the configuration file must define the kms_library stanza, providing necessary connection information.
Example: vault.hcl
This guide sets the storage backend to the local file system (/tmp/vault) to make verification easier.
Save your Vault license to a file on disk. The preceding configuration file specifies it as License.txt.
The example configuration defines the following elements in its kms_library stanza.
- name - The logical name to be referenced by a managed key
- library - The path to the PKCS #11 library shared object file.
You can define multiple kms_library stanzas, with the only limitation being that the value for the name key must be unique across all the stanza definitions in a case-insensitive manner.
For the full list of configuration parameters, refer to the Vault documentation here.
Log in with the vault user.
Set the PKCS #11 PIN for log in with the following command (the value is the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file):
Start the Vault server.
If the command succeeds, you should see output similar to the following example:
Open a new terminal window and leave the terminal running where you started the Vault server.