Introduction
It is possible to configure what PKCS11 encryption/decryption mechanism to use when configuring Vault for auto-unseal using the PKCS11 seal type.
The mechanism can be configured by either of the following two methods:
- Set the mechanism parameter in the PKCS11 seal stanza of the Vault configuration file.
- Set the VAULT_HSM_MECHANISM environment variable.
Prerequisites
- Vault Enterprise+HSM
Issue
In this scenario the mechanism has not been explicitly configured, but it is necessary to determine which mechanism is currently in use by Vault.
Solution
Set the Vault Operational log level to TRACE level. Restart Vault to initiate the PKCS11 auto-unseal process. This can be done on a standby node to minimise disruption.
Example of what information can be seen in the Vault Operational log:
[TRACE] seal.pkcs11: pkcs11 mechanism selected: mechanism=0x1085 name=aes-cbc-pad
Outcome
In the above example, we can determine that mechanism=0x1085 is in use.
It should be noted that Vault will use the highest mechanism available in the environment.
Additional Information
- Vault Documentation: pkcs11 Seal
- Vault Documentation: pkcs11 mechanism parameter
- Vault Documentation: pkcs11 Environment Variables
- Vault Tutorial: HSM Integration - Seal Wrap