Managed Keys
This document provides information about using Futurex PKCS #11 libraries to configure the Futurex KMES Series 3 with the HahiCorp Vault Managed Keys feature. For other questions about your KMES Series 3, see the relevant user guide.
From the HashiCorp Vault documentation website: Within certain environments, customers want or need to leverage key management systems external to Vault, when handling, storing, and interacting with private key material.
To satisfy these requirements, Vault has a centralized abstraction called Managed Keys. Different secrets engines can plug into this feature to delegate these operations to a trusted external KMS.
Minimally, a managed key consists of a named managed-key entry handled by the sys/managed-key API. Besides a name, a managed keys has backend-specific configurations to access the key in question.
For PKCS #11 (HSM) backed managed keys, the managed key configuration must reference a kms library stanza which points to a PKCS #11 access library on the host machine.
Note that a configured, named managed key corresponds to a single key within a backend. More than one managed key can be configured targeting a single backend by creating multiple managed keys with the API.
To use the HashiCorp Managed Keys feature with the KMES Series 3, you must perform the following tasks:
- Install Futurex PKCS #11.
- Configure the KMES Series 3.
- Edit the Futurex PKCS #11 configuration file.
- Configure the Futurex PKCS #11 library with HashiCorp Vault.
- Test PKI operations.
The following sections describe how to perform these tasks.