Configure the Futurex PKCS #11 Library with HashiCorp Vault

the vault hardware security module (hsm) managed keys feature requires vault enterprise with the advanced data protection module to configure the futurex pkcs #11 library with vault, perform the following tasks download and install vault configure vault start the vault server the following sections describe how to perform these tasks download vault download precompiled vault binaries at https //releases hashicorp com/vault/ https //releases hashicorp com/vault/ to download vault enterprise binaries, follow the instructions hashicorp provides vault customers this integration requires the vault 1 10 enterprise hsm binary, which is available for testing https //releases hashicorp com/vault/1 7 2+ent hsm/ https //releases hashicorp com/vault/1 7 2+ent hsm/ install vault run the following command to unzip the downloaded package and move the vault binary to /usr/local/bin unzip vault ${vault version}+ent hsm linux amd64 zip run the following command to set the owner of the vault binary sudo chown root\ root vault run the following command to check that vault is available on the system path sudo mv vault /usr/local/bin/ run the following command to verify the vault version vault version the vault command features opt in autocompletion for flags, subcommands, and arguments (where supported) install autocompletion by using the following command vault autocomplete install run the following command to enable autocompletion complete c /usr/local/bin/vault vault run the following command to configure vault to use the mlock syscall without running the process as root this operation prevents the system from swapping memory to disk sudo setcap cap ipc lock=+ep /usr/local/bin/vault run the following command to create a unique, non privileged system user to run vault sudo useradd system home /etc/vault d shell /bin/bash vault configure vault to configure vault, perform the following tasks configure systemd configure vault settings configure managed keys the following sections show you how to perform these tasks configure systemd systemd uses documented sane defaults https //www freedesktop org/software/systemd/man/systemd directives html so you need to set only non default values in the configuration file run the following command to create a vault service file at /etc/systemd/system/vault service sudo touch /etc/systemd/system/vault service add the following configuration to the vault service file \[unit] description="hashicorp vault a tool for managing secrets" documentation=https //www vaultproject io/docs/ requires=network online target after=network online target conditionfilenotempty=/etc/vault d/vault hcl startlimitintervalsec=60 startlimitburst=3 \[service] user=vault group=vault protectsystem=full protecthome=read only privatetmp=yes privatedevices=yes securebits=keep caps ambientcapabilities=cap ipc lock capabilities=cap ipc lock+ep capabilityboundingset=cap syslog cap ipc lock nonewprivileges=yes execstart=/usr/local/bin/vault server config=/etc/vault d/vault hcl execreload=/bin/kill signal hup $mainpid killmode=process killsignal=sigint restart=on failure restartsec=5 timeoutstopsec=30 startlimitinterval=60 startlimitintervalsec=60 startlimitburst=3 limitnofile=65536 limitmemlock=infinity \[install] wantedby=multi user target configure vault settings vault uses documented sane defaults so you need to set only non default values in the configuration file run the following command to create /etc/vault d directory sudo mkdir parents /etc/vault d run the following command to create the vault configuration file, vault hcl sudo touch /etc/vault d/vault hcl run the following command to set the ownership of the /etc/vault d directory sudo chown recursive vault\ vault /etc/vault d run the following command to set the required file permissions sudo chmod 640 /etc/vault d/vault hcl configure managed keys the kms library stanza of vault hcl isolates platform specific configuration for managed keys it defines logical names referenced within an api configuration keeping cluster and node specific details separated along with deployment concerns for each to integrate the vault enterprise server with an hsm for supporting the managed keys feature, the configuration file must define the kms library stanza https //www vaultproject io/docs/configuration/kms library providing necessary connection information, as shown in the following example this guide sets the storage backend to the local file system ( /tmp/vault ) to make the verification step easy example vault hcl \# provide your futurex hsm connection information kms library "pkcs11" { name="kms1" library = "/usr/local/bin/fxpkcs11/libfxpkcs11 so" } storage "file" { path = "/tmp/vault" } listener "tcp" { address = "0 0 0 0 8200" tls disable = "true" } disable mlock = true license path = "/usr/local/bin/license txt" api addr = "http //127 0 0 1 8200" cluster addr = "https //127 0 0 1 8201" ui = true the example configuration defines the following parameters in its kms library stanza you can define multiple kms library stanzas, but the value for the name key must be a unique value across all the stanza definitions in a case insensitive manner parameter description name the logical name referred to by a managed key library the path to the pkcs #11 library shared object file for the full list of configuration parameters, refer to the vault documentation here https //www vaultproject io/docs/configuration/seal/pkcs11 html#pkcs11 parameters to configure master keys, perform the following steps edit vault hcl as described in this section save your vault license to a file on disk in the preceding sample config file, this is specified as license txt start the vault server log in with the vault user run the following command to start the vault server vault server config=/etc/vault d/vault hcl if the command succeeds, expect output similar to the following example ==> vault server configuration api address http //127 0 0 1 8200 cgo enabled cluster address https //127 0 0 1 8201 go version go1 17 7 listener 1 tcp (addr "0 0 0 0 8200", cluster address "0 0 0 0 8201", max request duration "1m30s", max request size "33554432", tls "disabled") log level info mlock supported true, enabled false recovery mode false storage file version vault v1 10 0+ent hsm version sha d71d7710888891761ce43ec4e5f9d9fdeff31d8e \==> vault server started! log data will stream in below open a new terminal window and leave the terminal running where the vault server was started