From 422c1898c843978b15ac53584202bf3651c847d7 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Thu, 16 Nov 2017 11:04:46 -0500
Subject: [PATCH] Update upgrade guide with HSM info

---
 CHANGELOG.md                                             | 4 ++++
 website/source/guides/upgrading/upgrade-to-0.9.0.html.md | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b6e0998db..883472e14 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 DEPRECATIONS/CHANGES:
 
+ * HSM config parameter requirements: When using Vault with an HSM, a new
+   paramter is required: `hmac_key_label`.  This performs a similar function to
+   `key_label` but for the HMAC key Vault will use. Vault will generate a
+   suitable key if this value is specified and `generate_key` is set true.
  * API HTTP client behavior: When calling `NewClient` the API no longer
    modifies the provided client/transport. In particular this means it will no
    longer enable redirection limiting and HTTP/2 support on custom clients. It
diff --git a/website/source/guides/upgrading/upgrade-to-0.9.0.html.md b/website/source/guides/upgrading/upgrade-to-0.9.0.html.md
index 47a3b2a1d..36f8bc4cb 100644
--- a/website/source/guides/upgrading/upgrade-to-0.9.0.html.md
+++ b/website/source/guides/upgrading/upgrade-to-0.9.0.html.md
@@ -71,6 +71,14 @@ for the encryption keyring itself.
 To better reflect its actual use, the `generic` backend is now `kv`. Using
 `generic` will still work for backwards compatibility.
 
+### HSM Users Need to Specify New Config Options (In 0.9)
+
+When using Vault with an HSM, a new paramter is required: `hmac_key_label`.
+This performs a similar function to `key_label` but for the HMAC key Vault will
+use. Vault will generate a suitable key if this value is specified and
+`generate_key` is set true. See [the seal configuration page][pkcs11-seal] for
+more information.
+
 ### API HTTP client behavior (In 0.9)
 
 When calling `NewClient` the API no longer modifies the provided
@@ -111,3 +119,4 @@ Audit request and response entires are still in RFC3339 format but now have a
 granularity of nanoseconds.
 
 [generate-root]: https://www.vaultproject.io/api/secret/pki/index.html#generate-root
+[pkcs11-seal]: https://www.vaultproject.io/docs/configuration/seal/pkcs11.html