Configure the Futurex PKCS #11 Library with HashiCorp Vault
The Vault Hardware Security Module (HSM) Managed Keys feature requires Vault Enterprise with the Advanced Data Protection module.
To configure the PKCS #11 library with Vault, perform the following tasks:
- Download and install Vault.
- Configure Vault.
- Start the Vault server.
The following sections describe how to perform these tasks.
Follow the instructions HashiCorp provides Vault customers to download precompiled Vault binaries at https://releases.hashicorp.com/vault/.
This integration requires the Vault 1.10 Enterprise HSM binary, which is available for testing: https://releases.hashicorp.com/vault/1.7.2+ent.hsm/
Run the following command to unzip the downloaded package and move the vault binary to /usr/local/bin:
Run the following command to set the owner of the Vault binary:
Run the following command to check that the Vault is available on the system path:
Run the following command to verify the Vault version:
The vault command features opt-in autocompletion for flags, subcommands, and arguments (where supported).
Install autocompletion by using the following command:
Run the following command to enable autocompletion:
Run the following command to configure Vault to use the mlock syscall without running the process as root. This operation prevents the system from swapping memory to disk.
Run the following command to create a unique, non-privileged system user to run Vault:
To configure Vault, perform the following tasks:
- Configure systemd.
- Configure Vault settings.
- Configure Managed Keys.
The following sections show you how to perform these tasks.
Systemd uses documented sane defaults so you need to set only non-default values in the configuration file.
Run the following command to create a Vault service file at /etc/systemd/system/vault.service:
Add the following configuration to the Vault service file:
Vault uses documented sane defaults so you need to set only non-default values in the configuration file.
Run the following command to create /etc/vault.d directory:
Run the following command to create the Vault configuration file, vault.hcl:
Run the following command to set the ownership of the /etc/vault.d directory:
Run the following command to set the required file permissions:
The kms_library stanza of vault.hcl isolates platform-specific configuration for managed keys. It defines logical names referenced within an API configuration keeping cluster and node-specific details separated along with deployment concerns for each.
To integrate the Vault Enterprise server with an HSM for supporting the Managed Keys feature, the configuration file must define the kms_library stanza providing necessary connection information, as shown in the following example:
This guide sets the storage backend to the local file system (/tmp/vault) to make the verification step easy.
Example: vault.hcl
The example configuration defines the following parameters in its kms_library stanza:
You can define multiple kms_library stanzas, but the value for the name key must be a unique value across all the stanza definitions in a case-insensitive manner.
Parameter
Description
name
The logical name referred to by a managed key
library
The path to the PKCS #11 library shared object file.
For the full list of configuration parameters, refer to the Vault documentation here.
To configure master keys, perform the following steps:
Edit vault.hcl as described in this section.
Save your Vault license to a file on disk. The preceding sample config file specifies this as License.txt.
Log in with the vault user.
Run the following command to start the Vault server:
If the command succeeds, expect output similar to the following example:
Open a new terminal window and leave the terminal running where the Vault server was started.