Luna HSM Error: Unable to set token version into newly created table: attempt to write a readonly database

Problem

• Error message on Vault startup: Unable to set token version into newly created table: attempt to write a readonly database

• The error is visible when running systemctl status vault command

Prerequisites

• Vault Enterprise
• Thales HSM with Luna client

Cause

• The error message originates from the Thales Luna client installed on a Vault node
• By default, Vault’s systemd unit uses ProtectSystem=full, making /usr read-only. Luna client is installed under /usr/safenet and may require write access, which explains the readonly database error

Solution:

• Test this change on one node first

• Update the Vault systemd service file to include ReadWritePaths=/usr/safenet as an exception to ProtectSystem

• Reload systemd configuration systemctl daemon-reload

Outcome

Additional Information

• ProtectSystem setting