2017-11-14 11:13:11 +00:00
---
2020-01-18 00:18:09 +00:00
layout: docs
page_title: PKCS11 - Seals - Configuration
2017-11-14 11:13:11 +00:00
description: |-
The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal
wrapping mechanism.
---
# `pkcs11` Seal
2022-09-02 16:01:29 +00:00
-> **Note:** The Seal Wrap functionality is enabled by default. For this reason, HSM must be available throughout Vault's runtime and not just during the unseal process. Refer to the [Seal Wrap](/docs/enterprise/sealwrap) documentation for more information.
2022-04-26 19:13:03 +00:00
2017-11-14 11:13:11 +00:00
The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrapping
mechanism. Vault Enterprise's HSM PKCS11 support is activated by one of the
following:
2020-01-18 00:18:09 +00:00
- The presence of a `seal "pkcs11"` block in Vault's configuration file
- The presence of the environment variable `VAULT_HSM_LIB` set to the library's
2017-11-14 11:13:11 +00:00
path as well as `VAULT_HSM_TYPE` set to `pkcs11`. If enabling via environment
variable, all other required values (i.e. `VAULT_HSM_SLOT`) must be also
supplied.
**IMPORTANT**: Having Vault generate its own key is the easiest way to get up
and running, but for security, Vault marks the key as non-exportable. If your
HSM key backup strategy requires the key to be exportable, you should generate
the key yourself. The list of creation attributes that Vault uses to generate
the key are listed at the end of this document.
## Requirements
The following software packages are required for Vault Enterprise HSM:
2018-02-21 14:05:36 +00:00
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
higher of PKCS#11. Depending on any given HSM, some functions (such as key
generation) may have to be performed manually.
- The [GNU libltdl
library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html)
— ensure that it is installed for the correct architecture of your servers
2017-11-14 18:12:35 +00:00
## `pkcs11` Example
This example shows configuring HSM PKCS11 seal through the Vault configuration
file by providing all the required values:
```hcl
seal "pkcs11" {
lib = "/usr/vault/lib/libCryptoki2_64.so"
2021-09-22 20:55:20 +00:00
slot = "2305843009213693953"
2017-11-14 18:12:35 +00:00
pin = "AAAA-BBBB-CCCC-DDDD"
key_label = "vault-hsm-key"
hmac_key_label = "vault-hsm-hmac-key"
}
```
2017-11-14 11:13:11 +00:00
## `pkcs11` Parameters
These parameters apply to the `seal` stanza in the Vault configuration file:
2017-11-14 18:12:35 +00:00
- `lib` `(string: <required>)`: The path to the PKCS#11 library shared object
2017-11-14 11:13:11 +00:00
file. May also be specified by the `VAULT_HSM_LIB` environment variable.
2021-09-22 20:55:20 +00:00
2022-02-09 18:02:44 +00:00
~> **Note:** Depending on your HSM, the value of the `lib` parameter may be
either a binary or a dynamic library, and its use may require other libraries
depending on which system the Vault binary is currently running on (e.g.: a
Linux system may require other libraries to interpret Windows .dll files).
2017-11-14 18:12:35 +00:00
2019-10-14 17:31:03 +00:00
- `slot` `(string: <slot or token label required>)`: The slot number to use,
2022-01-28 16:25:02 +00:00
specified as a string (e.g. `"2305843009213693953"`). May also be specified by
2021-09-22 20:55:20 +00:00
the `VAULT_HSM_SLOT` environment variable.
2022-01-28 16:25:02 +00:00
~> **Note**: Slots are typically listed as hex-decimal values in the OS setup
utility but this configuration uses their decimal equivalent. For example, using the
HSM command-line `pkcs11-tool`, a slot listed as `0x2000000000000001`in hex is equal
to `2305843009213693953` in decimal; these values may be listed shorter or
2021-09-22 20:55:20 +00:00
differently as determined by the HSM in use.
2018-05-07 20:33:38 +00:00
2019-10-14 17:31:03 +00:00
- `token_label` `(string: <slot or token label required>)`: The slot token label to
2018-05-07 20:33:38 +00:00
use. May also be specified by the `VAULT_HSM_TOKEN_LABEL` environment variable.
2017-11-14 18:12:35 +00:00
- `pin` `(string: <required>)`: The PIN for login. May also be specified by the
2017-11-14 11:13:11 +00:00
`VAULT_HSM_PIN` environment variable. _If set via the environment variable,
2021-11-24 17:50:34 +00:00
it will need to be re-set if Vault is restarted._
2017-11-14 18:12:35 +00:00
- `key_label` `(string: <required>)`: The label of the key to use. If the key
2017-11-14 11:13:11 +00:00
does not exist and generation is enabled, this is the label that will be given
to the generated key. May also be specified by the `VAULT_HSM_KEY_LABEL`
environment variable.
2017-11-14 18:12:35 +00:00
2018-04-25 13:59:06 +00:00
- `default_key_label` `(string: "")`: This is the default key label for decryption
2020-01-18 00:18:09 +00:00
operations. Prior to 0.10.1, key labels were not stored with the ciphertext.
Seal entries now track the label used in encryption operations. The default value
for this field is the `key_label`. If `key_label` is rotated and this value is not
2019-10-14 17:31:03 +00:00
set, decryption may fail. May also be specified by the `VAULT_HSM_DEFAULT_KEY_LABEL`
2020-01-18 00:18:09 +00:00
environment variable. This value is ignored in new installations.
2018-04-25 13:59:06 +00:00
2022-01-28 16:25:02 +00:00
- `key_id` `(string: "")`: The ID of the key to use. The value should be a hexadecimal
string (e.g., "0x33333435363434373537"). May also be specified by the
`VAULT_HSM_KEY_ID` environment variable.
2017-11-14 18:12:35 +00:00
- `hmac_key_label` `(string: <required>)`: The label of the key to use for
2018-02-21 14:05:36 +00:00
HMACing. This needs to be a suitable type. If Vault tries to create this it
will attempt to use CKK_GENERIC_SECRET_KEY. If the key does not exist and
generation is enabled, this is the label that will be given to the generated
key. May also be specified by the `VAULT_HSM_HMAC_KEY_LABEL` environment
variable.
2017-11-14 18:12:35 +00:00
2018-08-08 19:53:40 +00:00
- `default_hmac_key_label` `(string: "")`: This is the default HMAC key label for signing
2020-01-18 00:18:09 +00:00
operations. Prior to 0.10.1, HMAC key labels were not stored with the signature.
Seal entries now track the label used in signing operations. The default value
for this field is the `hmac_key_label`. If `hmac_key_label` is rotated and this
2019-10-14 17:31:03 +00:00
value is not set, signature verification may fail. May also be specified by the
2020-01-18 00:18:09 +00:00
`VAULT_HSM_HMAC_DEFAULT_KEY_LABEL` environment variable. This value is ignored in
2018-04-25 13:59:06 +00:00
new installations.
2019-10-14 17:31:03 +00:00
2022-01-28 16:25:02 +00:00
- `hmac_key_id` `(string: "")`: The ID of the HMAC key to use. The value should be a
hexadecimal string (e.g., "0x33333435363434373537"). May also be specified by the
`VAULT_HSM_HMAC_KEY_ID` environment variable.
2018-05-07 20:34:39 +00:00
- `mechanism` `(string: <best available>)`: The encryption/decryption mechanism to use,
2019-10-14 17:31:03 +00:00
specified as a decimal or hexadecimal (prefixed by `0x`) string. May also be
2022-01-28 16:25:02 +00:00
specified by the `VAULT_HSM_MECHANISM` environment variable.
2018-04-25 13:59:06 +00:00
Currently supported mechanisms (in order of precedence):
2018-04-25 14:16:41 +00:00
2020-01-18 00:18:09 +00:00
- `0x1085` `CKM_AES_CBC_PAD` (HMAC mechanism required)
- `0x1082` `CKM_AES_CBC` (HMAC mechanism required)
- `0x1087` `CKM_AES_GCM`
- `0x0009` `CKM_RSA_PKCS_OAEP`
- `0x0001` `CKM_RSA_PKCS`
2017-11-14 18:12:35 +00:00
2020-05-12 15:56:41 +00:00
~> **Warning**: CKM_RSA_PKCS specifies the PKCS #1 v1.5 padding scheme, which is
2020-12-17 21:53:33 +00:00
in considered less secure than OAEP. Where possible, use of CKM_RSA_PKCS_OAEP is
2020-05-12 15:56:41 +00:00
recommended over CKM_RSA_PKCS.
2017-11-14 18:12:35 +00:00
- `hmac_mechanism` `(string: "0x0251")`: The encryption/decryption mechanism to
2017-11-14 11:13:11 +00:00
use, specified as a decimal or hexadecimal (prefixed by `0x`) string.
Currently only `0x0251` (corresponding to `CKM_SHA256_HMAC` from the
specification) is supported. May also be specified by the
2018-04-25 13:59:06 +00:00
`VAULT_HSM_HMAC_MECHANISM` environment variable. This value is only required
for specific mechanisms.
2017-11-14 18:12:35 +00:00
- `generate_key` `(string: "false")`: If no existing key with the label
2017-11-14 11:13:11 +00:00
specified by `key_label` can be found at Vault initialization time, instructs
Vault to generate a key. This is a boolean expressed as a string (e.g.
`"true"`). May also be specified by the `VAULT_HSM_GENERATE_KEY` environment
2018-02-21 14:05:36 +00:00
variable. Vault may not be able to successfully generate keys in all
circumstances, such as if proprietary vendor extensions are required to
create keys of a suitable type.
2017-11-14 18:12:35 +00:00
2022-01-28 16:25:02 +00:00
- `force_rw_session` `(string: "false")`: Force all operations to open up
a read-write session to the HSM. This is a boolean expressed as a string (e.g.
`"true"`). May also be specified by the `VAULT_HSM_FORCE_RW_SESSION` environment
variable. This key is mainly to work around a limitation within AWS's CloudHSM v5
pkcs11 implementation.
2022-05-09 17:12:30 +00:00
- `disabled` `(string: "")`: Set this to `true` if Vault is migrating from an auto seal configuration. Otherwise, set to `false`.
Refer to the [Seal Migration](/docs/concepts/seal#seal-migration) documentation for more information about the seal migration process.
2018-05-07 17:50:45 +00:00
### Mechanism Specific Flags
- `rsa_encrypt_local` `(string: "false")`: For HSMs that do not support encryption
2020-01-18 00:18:09 +00:00
for RSA keys, perform encryption locally. Available for mechanisms
`CKM_RSA_PKCS_OAEP` and `CKM_RSA_PKCS`. May also be specified by the
2018-05-07 17:50:45 +00:00
`VAULT_HSM_RSA_ENCRYPT_LOCAL` environment variable.
2019-05-31 02:20:57 +00:00
- `rsa_oaep_hash` `(string: "sha256")`: Specify the hash algorithm to use for RSA
2020-01-18 00:18:09 +00:00
with OAEP padding. Valid values are sha1, sha224, sha256, sha384, and sha512.
Available for mechanism `CKM_RSA_PKCS_OAEP`. May also be specified by the
2018-05-07 17:50:45 +00:00
`VAULT_HSM_RSA_OAEP_HASH` environment variable.
2017-11-14 11:13:11 +00:00
~> **Note:** Although the configuration file allows you to pass in
2020-01-18 00:18:09 +00:00
`VAULT_HSM_PIN` as part of the seal's parameters, it is _strongly_ recommended
2017-11-14 11:13:11 +00:00
to set this value via environment variables.
## `pkcs11` Environment Variables
Alternatively, the HSM seal can be activated by providing the following
environment variables:
```text
2018-05-07 17:50:45 +00:00
VAULT_HSM_LIB
VAULT_HSM_TYPE
VAULT_HSM_SLOT
2018-05-07 20:33:38 +00:00
VAULT_HSM_TOKEN_LABEL
2018-05-07 17:50:45 +00:00
VAULT_HSM_PIN
VAULT_HSM_KEY_LABEL
VAULT_HSM_DEFAULT_KEY_LABEL
2022-01-28 16:25:02 +00:00
VAULT_HSM_KEY_ID
2018-05-07 17:50:45 +00:00
VAULT_HSM_HMAC_KEY_LABEL
VAULT_HSM_HMAC_DEFAULT_KEY_LABEL
2022-01-28 16:25:02 +00:00
VAULT_HSM_HMAC_KEY_ID
2018-05-07 17:50:45 +00:00
VAULT_HSM_MECHANISM
VAULT_HSM_HMAC_MECHANISM
VAULT_HSM_GENERATE_KEY
VAULT_HSM_RSA_ENCRYPT_LOCAL
VAULT_HSM_RSA_OAEP_HASH
2022-01-28 16:25:02 +00:00
VAULT_HSM_FORCE_RW_SESSION
2017-11-14 11:13:11 +00:00
```
## Vault Key Generation Attributes
If Vault generates the HSM key for you, the following is the list of attributes
it uses. These identifiers correspond to official PKCS#11 identifiers.
2018-05-07 17:50:45 +00:00
### AES Key
2020-01-18 00:18:09 +00:00
- `CKA_CLASS`: `CKO_SECRET_KEY` (It's a secret key)
- `CKA_KEY_TYPE`: `CKK_AES` (Key type is AES)
- `CKA_VALUE_LEN`: `32` (Key size is 256 bits)
- `CKA_LABEL`: Set to the key label set in Vault's configuration
- `CKA_ID`: Set to a random 32-bit unsigned integer
- `CKA_PRIVATE`: `true` (Key is private to this slot/token)
- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
2017-11-14 11:13:11 +00:00
session only)
2020-01-18 00:18:09 +00:00
- `CKA_SENSITIVE`: `true` (Key is a sensitive value)
- `CKA_ENCRYPT`: `true` (Key can be used for encryption)
- `CKA_DECRYPT`: `true` (Key can be used for decryption)
- `CKA_WRAP`: `true` (Key can be used for wrapping)
- `CKA_UNWRAP`: `true` (Key can be used for unwrapping)
- `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
2018-02-21 14:05:36 +00:00
2018-05-07 17:50:45 +00:00
### RSA Key
_Public Key_
2020-01-18 00:18:09 +00:00
- `CKA_CLASS`: `CKO_PUBLIC_KEY` (It's a public key)
- `CKA_KEY_TYPE`: `CKK_RSA` (Key type is RSA)
- `CKA_LABEL`: Set to the key label set in Vault's configuration
- `CKA_ID`: Set to a random 32-bit unsigned integer
- `CKA_ENCRYPT`: `true` (Key can be used for encryption)
- `CKA_WRAP`: `true` (Key can be used for wrapping)
- `CKA_MODULUS_BITS`: `2048` (Key size is 2048 bits)
- `CKA_PUBLIC_EXPONENT`: `0x10001` (Public exponent of 65537)
- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
2018-05-07 17:50:45 +00:00
session only)
_Private Key_
2020-01-18 00:18:09 +00:00
- `CKA_CLASS`: `CKO_PRIVATE_KEY` (It's a private key)
- `CKA_KEY_TYPE`: `CKK_RSA` (Key type is RSA)
- `CKA_LABEL`: Set to the key label set in Vault's configuration
- `CKA_ID`: Set to a random 32-bit unsigned integer
- `CKA_DECRYPT`: `true` (Key can be used for decryption)
- `CKA_UNWRAP`: `true` (Key can be used for unwrapping)
- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
2018-05-07 17:50:45 +00:00
session only)
2020-01-18 00:18:09 +00:00
- `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
2018-05-07 17:50:45 +00:00
### HMAC Key
2018-02-21 14:05:36 +00:00
2020-01-18 00:18:09 +00:00
- `CKA_CLASS`: `CKO_SECRET_KEY` (It's a secret key)
- `CKA_KEY_TYPE`: `CKK_GENERIC_SECRET_KEY` (Key type is a generic secret key)
- `CKA_VALUE_LEN`: `32` (Key size is 256 bits)
- `CKA_LABEL`: Set to the HMAC key label set in Vault's configuration
- `CKA_ID`: Set to a random 32-bit unsigned integer
- `CKA_PRIVATE`: `true` (Key is private to this slot/token)
- `CKA_TOKEN`: `true` (Key persists to the slot/token rather than being for one
2018-02-21 14:05:36 +00:00
session only)
2020-01-18 00:18:09 +00:00
- `CKA_SENSITIVE`: `true` (Key is a sensitive value)
- `CKA_SIGN`: `true` (Key can be used for signing)
- `CKA_VERIFY`: `true` (Key can be used for verifying)
- `CKA_EXTRACTABLE`: `false` (Key cannot be exported)
2018-04-25 13:59:06 +00:00
## Key Rotation
This seal supports rotating keys by using different key labels to track key versions. To rotate
the key value, generate a new key in a different key label in the HSM and update Vault's
2020-01-18 00:18:09 +00:00
configuration with the new key label value. Restart your vault instance to pick up the new key
2019-10-14 17:31:03 +00:00
label and all new encryption operations will use the updated key label. Old keys must not be disabled
2018-04-25 13:59:06 +00:00
or deleted and are used to decrypt older data.
2019-10-14 17:31:03 +00:00
**NOTE**: Prior to version 0.10.1, key information was not tracked with the ciphertext. If
rotation is desired for data that was seal wrapped prior to this version must also set
2018-04-25 13:59:06 +00:00
`default_key_label` and `hmac_default_key_label` to allow for decryption of older values.
2019-10-14 17:31:03 +00:00
2022-04-04 17:05:34 +00:00
## Tutorial
2019-10-14 17:31:03 +00:00
Refer to the [HSM Integration - Seal Wrap](https://learn.hashicorp.com/vault/operations/ops-seal-wrap)
2022-04-04 17:05:34 +00:00
tutorial to learn how to enable the Seal Wrap feature to protect your data.