Problem
After starting Vault, the following error is observed in Vault Operational Log:
licensing could not be initialized: "HSM" feature required when using "pkcs11" seal
Prerequisites
- Vault Enterprise
Cause
- The issue is due to the fact that you are using HSM feature Vault Enterprise Plus as per our official documentation. And the license which was supplied is not a a Vault Enterprise Plus license.
Solutions:
- Vault offers different levels of Enterprise Licenses. Please contact Customer Success Manager or Account Manager to obtain the Vault Enterprise Plus license first, and ensure that the Vault Enterprise Plus license is correctly installed.
-
Alternatively, the Cloud KMS seals can be used such as AWS KMS Seal as an alternative in absence of Vault Enterprise Plus license. If HSM seal is not used, please ensure that the pkcs11 seal is not used in Vault configuration, and that the Vault +ent.hsm binaries are not used. Note that if there is already an existing pkcs11 seal that are used in the current Vault environment, you will still need the Vault Enterprise Plus license to get Vault start up first, then perform seal migration from HSM seal to KMS seal.
Additional Information
-
https://learn.hashicorp.com/tutorials/nomad/hashicorp-enterprise-license?in=vault/enterprise
- https://www.vaultproject.io/docs/enterprise/hsm
- https://www.vaultproject.io/docs/configuration/seal/pkcs11
- https://www.vaultproject.io/docs/configuration/seal/awskms
- https://www.vaultproject.io/docs/concepts/seal#seal-migration