Problem
Creating managed keys to offload Key management to external HSM key generation may fail with the following error:
{"@level":"error","@message":"Key generation for managed key XXXX failed: no supported rsa key generation mechanisms found","@module":"managedKeyRegistry","@timestamp":"2022-08-17T11:41:55.938617+02:00"}
Prerequisites
- Vault version 1.10+
- HSM with FIPS enabled
Cause
After invoking the vault sys/managed-key/... API, the responses noted above could be observed. The failure occurs due to incompatibility between Vault's algorithm and the HSM not supporting the required RSA method. As stated in the FIPS enabled Luna HSM guide:
> only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes
The methods available to Luna HSM are limited to:
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GENCKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
However, Vault only supports:
CKM_RSA_X9_31_KEY_PAIR_GENCKM_RSA_PKCS_KEY_PAIR_GEN
Solutions
-
Disable FIPS mode and retry key generation
-
Luna HSM has a Remap Mechanism to circumvent this limitation