Key management
Managed Keys

Configure the Futurex PKCS #11 Library with HashiCorp Vault

13min

The Vault Hardware Security Module (HSM) Managed Keys feature requires Vault Enterprise with the Advanced Data Protection module.

To configure the Futurex PKCS #11 library with Vault, perform the following tasks:

  1. Download and install Vault.
  2. Configure Vault.
  3. Start the Vault server.

The following sections describe how to perform these tasks.

Download Vault

Download precompiled Vault binaries at https://releases.hashicorp.com/vault/. To download Vault Enterprise binaries, follow the instructions HashiCorp provides Vault customers.

This integration requires the Vault 1.10 Enterprise HSM binary, which is available for testing: https://releases.hashicorp.com/vault/1.7.2+ent.hsm/

Install Vault

1

Run the following command to unzip the downloaded package and move the vault binary to /usr/local/bin:

Shell

2

Run the following command to set the owner of the Vault binary:

Shell

3

Run the following command to check that vault is available on the system path:

Shell

4

Run the following command to verify the Vault version:

Shell

5

The vault command features opt-in autocompletion for flags, subcommands, and arguments (where supported).

Install autocompletion by using the following command:

Shell

6

Run the following command to enable autocompletion:

Shell

7

Run the following command to configure Vault to use the mlock syscall without running the process as root. This operation prevents the system from swapping memory to disk.

Shell

8

Run the following command to create a unique, non-privileged system user to run Vault:

JS


Configure Vault

To configure Vault, perform the following tasks:

  1. Configure systemd.
  2. Configure Vault settings.
  3. Configure Managed Keys.

The following sections show you how to perform these tasks.

Configure systemd

Systemd uses documented sane defaults so you need to set only non-default values in the configuration file.

1

Run the following command to create a Vault service file at /etc/systemd/system/vault.service:

Shell

2

Add the following configuration to the Vault service file:

Text


Configure Vault settings

Vault uses documented sane defaults so you need to set only non-default values in the configuration file.

1

Run the following command to create /etc/vault.d directory:

Shell

2

Run the following command to create the Vault configuration file, vault.hcl:

Shell

3

Run the following command to set the ownership of the /etc/vault.d directory:

Shell

4

Run the following command to set the required file permissions:

Shell


Configure Managed Keys

The kms_library stanza of vault.hcl isolates platform-specific configuration for managed keys. It defines logical names referenced within an API configuration keeping cluster and node-specific details separated along with deployment concerns for each.

To integrate the Vault Enterprise server with an HSM for supporting the Managed Keys feature, the configuration file must define the kms_library stanza providing necessary connection information, as shown in the following example:

This guide sets the storage backend to the local file system (/tmp/vault) to make the verification step easy.

Example: vault.hcl

Text


The example configuration defines the following parameters in its kms_library stanza:

You can define multiple kms_library stanzas, but the value for the name key must be a unique value across all the stanza definitions in a case-insensitive manner.

Parameter

Description



name

The logical name referred to by a managed key



library

The path to the PKCS #11 library shared object file.



For the full list of configuration parameters, refer to the Vault documentation here.

To configure Master Keys, perform the following steps:

1

Edit vault.hcl as described in this section.

2

Save your Vault license to a file on disk. In the preceding sample config file, this is specified as License.txt.

Start the Vault server

1

Log in with the vault user.

2

Run the following command to start the Vault server:

Shell


If the command succeeds, expect output similar to the following example:

Shell

3

Open a new terminal window and leave the terminal running where the Vault server was started.