Introduction
Problem
When Vault is launched using systemd and Thales Luna HSM is being initially configured for auto-seal, there may be issues with Vault being unable to connect to the Thales Luna appliance.
Cause
- The error message received will be related to the Vault unseal process not being able to access the Luna to find the appropriate slot but it can be can verified, by using the pkcs11-tool, that the instance currently hosting Vault can connect to the Thales Luna device.
Solution:
The Thales Luna configuration file (Chrystoki.conf) assigns a group for hsmusers and Vaults executing user will need to be added to this group so as to access and interface with the device.
Outcome
Once this executing Vault user has been added to the correct group, restart the Vault service (systemctl restart vault) and remember to run systemctl daemon-reload prior to any restart if there were any changes were made to Vaults systemd unit file. After restarting Vault will be able to connect to the HSM device.
Further Diagnosis
If Vault is still having issues connecting to the Thales Luna device or otherwise Slot specific errors then strive to confirm the validity of the devices using for example opensc tools:
# // set .so module path same as in HCL
HSM_LIB=$(grep -F 'lib' /etc/vault.d/vault.hcl | cut -d'"' -f2)
# // attempt HSM slot listing as 'vault' executing user
sudo -u vault pkcs11-tool --module ${HSM_LIB} -L
# // Use HSM slot via Hex or Short value same as what's set in Vault (HCL Decimal value)
sudo -u vault pkcs11-tool --module ${HSM_LIB} -l -t --slot=0x327f87a4
Additionally, the ExecStartPre parameter can be added to the vault unit file. This will execute the pkcs11-tool binary as the user & group specified in the unit file. This requires a systemctl daemon-reload.
ExecStartPre=pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L