Key management
HashiCorp Vault - Managed Keys
Appendix: Configuring Vault to use a key manually generated on the HSM
3 min
the following example uses fxcli to generate a new key on the {{vectera}} and assign it a pkcs11 label that vault can reference when creating a new managed key 1 | connect and log in to the hsm by using fxcli run the fxcli application configure tls certificates for communication between fxcli and the hsm by using the tls commands run tls help to access syntax documentation use the following command to connect to the hsm fxcli connect tcp connect hsm ip 9009 log in to the hsm with the default admin1 and admin2 identities by running the following command twice, entering the username and password when prompted fxcli login user create a new key pair on the vectera plus create a new key pair in the next available key slot on the hsm fxcli generate algo rsa bits 2048 name vaultmanualkey slot next tpk slot next usage encrypt,decrypt,sign,verify,wrap,unwrap confirm which key slot the private key was added to fxcli keytable list assign a pkcs11 label to the key (vault needs this external data field to be set so that it can find the key) the number that you specify in the slot flag needs to match the slot number of the private key determined in the previous step the pkcs11 label value should match the name set for the key pair in the generate command fxcli keytable extdata slot 0 p11 attr label p11 value vaultmanualkey 2 | create a managed key in the vault this example creates a managed key in the vault by referencing the pkcs11 label of the key that you manually generated on the {{vectera}} by using fxcli the vault command used to create a managed key from a manually generated key on the hsm is almost identical to the command you used to dynamically generate a key on the hsm in the testing pki operations section manually generate a 2048 bit rsa key in vault with the key label, vaultmanualkey vault write /sys/managed keys/pkcs11/hsm key library=hsm1 token label=futurex pin=$pin key label="vaultmanualkey" allow generate key=false allow store key=false mechanism=0x0001 key bits=2048 any mount=false in the key label field, specify the pkcs11 label you assigned to the key by using the keytable extdata fxcli command in the previous section the main difference in the command in this step is it sets allow generate key to false to tell vault not to attempt to generate a key on the hsm if it cannot find the referenced key verify that the key configuration has been written to vault vault list /sys/managed keys/pkcs11 verify that the key configuration is valid by test signing some data vault write f /sys/managed keys/pkcs11/hsm key/test/sign