It is possible to configure what PKCS11 encryption/decryption mechanism to use when configuring Vault for auto-unseal using the PKCS11 seal type.
The mechanism can be configured by either of the following two methods:
- Set the mechanism parameter in the PKCS11 seal stanza of the Vault configuration file.
- Set the VAULT_HSM_MECHANISM environment variable.
- Vault Enterprise+HSM
In this scenario the mechanism has not been explicitly configured, but it is necessary to determine which mechanism is currently in use by Vault.
Set the Vault Operational log level to TRACE level. Restart Vault to initiate the PKCS11 auto-unseal process. This can be done on a standby node to minimise disruption.
Example of what information can be seen in the Vault Operational log:
[TRACE] seal.pkcs11: pkcs11 mechanism selected: mechanism=0x1085 name=aes-cbc-pad
In the above example, we can determine that mechanism=0x1085 is in use.
It should be noted that Vault will use the highest mechanism available in the environment.
- Vault Documentation: pkcs11 Seal
- Vault Documentation: pkcs11 mechanism parameter
- Vault Documentation: pkcs11 Environment Variables
- Vault Tutorial: HSM Integration - Seal Wrap