`Vault status` shows seal type shamir after vault initialization. (vault enterprise version with HSM and pkcs11 seal type configured)

[bankat vikhe]

Hi Team,

We are trying to intigrate vault enterpise with the HSM and have have  below  config in vault config file. 

ui = true 

telemetry { 

statsd_address = "localhost:<statsd port>"

disable_hostname = false

}

pid_file = "<vault.pid file >"

listener "tcp" {

address = "0.0.0.0:<Vault Port>"

tls_disable = "false"

tls_cert_file = ".pem file"

tls_key_file = ".pem file"

tls_disable_client_certs = "true"

}

#PKCS11 seal

seal "pkcs11"{

lib = "/library path/libCryptoki2_64.so" 

slot = "0"

pin = "password"

key_label = "HashiCorp_key"

hmac_key_label = "hmac_key"

generate_key = "true"

}

api_addr = "https://< vault hostname >:<vault port>"

storage "consul"

{ address = "localhost:<consul port>" 

path = "<consul kv path>"

consistency_mode = "default" 

max_parallel = "128"

service = "<registered service name>"

scheme = "http"

token = "xxx-xxx-xxx-xxx" }

After vault start and before initializing it, `vault status` command shows seal type pkcs11 but after initializing vault,  `vault status`  shows seal type shamir.

#vault status

Key                      Value

---                      -----

Recovery Seal Type       shamir

Initialized              true

Sealed                   true

Total Recovery Shares    1

Threshold                1

Unseal Progress          0/1

Unseal Nonce             n/a

Version                  1.1.3+ent.hsm

HA Enabled               false

Is it expected behavior ?

[Nick Cabatoff]

Hi Bankat,

Actually vault status is showing that the recovery seal is of type shamir, which is normal.  When using an autoseal you get recovery keys which are used to ensure human authorization for certain operations, as described here: https://www.vaultproject.io/docs/enterprise/hsm/behavior.html

It does look like you have a problem with your seal setup though, since it hasn't been unsealed, which should've happened automatically if properly configured.  Also you said "and before initializing it", but the output above says "Initialized: true".

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/344ea059-6cc9-48d6-a56a-e5e28b8503b7%40googlegroups.com.

[Harshal Vaidya]

Nick - Thanks for responding. 

In that case, if we ever need to know what is the backend seal type, what do we do? 

Is the only way to ascertain that is to look at vault's config file?

On Monday, September 23, 2019 at 6:00:01 PM UTC+5:30, Nick Cabatoff wrote:

Hi Bankat,

Actually vault status is showing that the recovery seal is of type shamir, which is normal.  When using an autoseal you get recovery keys which are used to ensure human authorization for certain operations, as described here: https://www.vaultproject.io/docs/enterprise/hsm/behavior.html

It does look like you have a problem with your seal setup though, since it hasn't been unsealed, which should've happened automatically if properly configured.  Also you said "and before initializing it", but the output above says "Initialized: true".

To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

[Nick Cabatoff]

I would recommend that you look at the vault config file to get this information, yes.  Technically you could read the information from the storage path core/seal-config (the value is stored encoded with base64), but since this isn't a public interface it could change in future Vault versions without warning.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c914f1d8-7db0-4065-b7f8-5c21fcb2a92f%40googlegroups.com.