Introduction
It is possible to configure what PKCS11 encryption/decryption mechanism to use when configuring Vault for auto-unseal using the PKCS11 seal type.
The mechanism can be configured by either of the following two methods:
- Set the mechanism parameter in the PKCS11 seal stanza of the Vault configuration file.
- Set the VAULT_HSM_MECHANISM environment variable.
If no mechanism is set, Vault will choose from it's currently supported mechanisms in order of precedence.
Prerequisites
- Vault Enterprise+HSM
Issue
In this scenario the mechanism has not been explicitly configured, however it may still be necessary to gather information on which mechanism Vault has chosen.
Solution
- Set the Vault Operational log level to TRACE level.
- Restart Vault to initiate the PKCS11 auto-unseal process.
- This can be done on a standby node to minimise disruption.
- Monitor the Vault logs on startup for the following output:
[TRACE] seal.pkcs11: pkcs11 mechanism selected: mechanism=0x1085 name=aes-cbc-pad
Outcome
In the above example, we can determine that mechanism=0x1085 is in use.
Additional Information
- Vault Documentation: pkcs11 Seal
- Vault Documentation: pkcs11 mechanism parameter
- Vault Documentation: pkcs11 Environment Variables
- Vault Tutorial: HSM Integration - Seal Wrap