Failure to write HSM generated keys to managed-keys endpoint – HashiCorp Help Center

Introduction

Problem

Trying to load manually generated in external HSM to Vault's managed key endpoint may fail with following error:

URL: PUT http://127.0.0.1:8200/v1/sys/managed-keys/pkcs11/vault-pki-root
Code: 500. Errors:

* 1 error occurred:
    * unsupported managed key type

Prerequisites (if applicable)

Vault Versions: 1.10.x & higher

Cause

Per managed-keys API doc, mechanism is a required pkcs11 backend parameter. If we try to load the keys from HSM to managed-key registry without this parameter, the operation will fail with above error.

Overview of possible solutions (if applicable)

Solutions:

Load is successful when writing keys with following format

vault write sys/managed-keys/pkcs11/vault-pki-root   library=softhsm pin=12344    key_label=vault_pki_root  token_label=BNP-1.12 mechanism=0x000d
Success! Data written to: sys/managed-keys/pkcs11/vault-pki-root

Note : mechanism parameter is added.

Additional Information:

Refer to Configure a Managed Key: https://developer.hashicorp.com/vault/tutorials/pki/managed-key-pki?in=vault%2Fsecrets-management#configure-a-managed-key
Managed-keys API doc

Introduction

Problem

Prerequisites (if applicable)

Cause

Overview of possible solutions (if applicable)

Solutions:

Additional Information:

Articles in this section

Related articles