• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Integrations
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main content
  • Documentation
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault
    • Overview
    • replication
    • sentinel
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation
      ENTENT
    • kms_library
      ENTENT

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot






  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Configuration
  5. kms_library
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

ยปkms_library Stanza

The kms_library stanza isolates platform specific configuration for managed keys. It defines logical names that are referenced within an API configuration keeping cluster and node specific details separated along with deployment concerns for each.

At the moment managed keys are only available as a feature set within Vault Enterprise HSM edition.

Requirements

The following software packages are required for Vault Enterprise HSM:

  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
  • The GNU libltdl library โ€” ensure that it is installed for the correct architecture of your servers

Configuration

Multiple kms_library stanza's can be defined with the only limitation that the value for the name key needs to be a unique value across all the stanza definitions in a case-insensitive manner.

The type argument only supports "pkcs11" at the moment.

Example kms_library stanza:

kms_library [TYPE] {
  name = "<logical name>"
  # ...
}

pkcs11 Parameters

These parameters apply to the kms_library stanza of type pkcs11 in the Vault configuration file:

  • name (string: <required>): The logical name to be referenced by a managed key
  • library (string: <required>): The path to the PKCS#11 library shared object file.

For example:

kms_library "pkcs11" {
  name = "hsm1"
  library = "/usr/lib/Cryptoki.so"
}
Edit this page on GitHub

On this page

  1. kms_library Stanza
  2. Requirements
  3. Configuration
  4. pkcs11 Parameters
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)