Key management

Managed Keys

2min

This document provides information about using Futurex PKCS #11 libraries to configure the Futurex KMES Series 3 with the HahiCorp Vault Managed Keys feature. For other questions about your KMES Series 3, see the relevant user guide.

Application description

From the HashiCorp Vault documentation website: Within certain environments, customers want or need to leverage key management systems external to Vault, when handling, storing, and interacting with private key material.

To satisfy these requirements, Vault has a centralized abstraction called Managed Keys. Different secrets engines can plug into this feature to delegate these operations to a trusted external KMS.

Minimally, a managed key consists of a named managed-key entry handled by the sys/managed-key API. Besides a name, a managed keys has backend-specific configurations to access the key in question.

For PKCS #11 (HSM) backed managed keys, the managed key configuration must reference a kms library stanza which points to a PKCS #11 access library on the host machine.

Note that a configured, named managed key corresponds to a single key within a backend. More than one managed key can be configured targeting a single backend by creating multiple managed keys with the API.

Integration overview

To use the HashiCorp Managed Keys feature with the KMES Series 3, you must perform the following tasks:

  1. Install Futurex PKCS #11.
  2. Configure the KMES Series 3.
  3. Edit the Futurex PKCS #11 configuration file.
  4. Configure the Futurex PKCS #11 library with HashiCorp Vault.
  5. Test PKI operations.

The following sections describe how to perform these tasks.