Unable to get HSM working with Vault

[Rob Clatterbuck]

I may be missing something very simple, but I'm not able to find any guides or walkthroughs for configuring an HSM (SafeNet Luna SA) as a pksc11 seal in Windows.

I have the Luna SA client installed and configured:

c:\Program Files\SafeNet\LunaClient>VTL.exe verify

The following Luna SA Slots/Partitions were found:

Slot    Serial #        Label
====    ========        =====
 1      487904032       Test1

c:\Program Files\SafeNet\LunaClient>

I have Vault set up under C:\vault

I have the following in a configuration file:

seal "pkcs11" {
  lib            = "C:\\Program Files\\SafeNet\\LunaClient\\cryptoki.dll"
  slot           = "1"
  pin            = "<<PIN HERE>>"
  key_label      = "vault-hsm-key"
  hmac_key_label = "vault-hsm-hmac-key"
  generate_key   = "true"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 1
}

storage "file" {
  path           = "C:\\vault"

}

I start vault with this command:

c:\vault>vault server -config VaultConfig.txt
WARNING! mlock is not supported on this system! An mlockall(2)-like syscall to
prevent memory from being swapped to disk is not supported on this system. For
better security, only run Vault on systems where this call is supported. If
you are running Vault in a Docker container, provide the IPC_LOCK cap to the
container.
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0
.1:8201", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
                 Storage: file
                 Version: Vault v0.10.1
             Version Sha: 756fdc4587350daf1c65b93647b2cc31a6f119cd

==> Vault server started! Log data will stream in below:

But checking status I see:

c:\vault>vault status

Key                Value
---                -----
Seal Type          shamir
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    0/3
Unseal Nonce       n/a
Version            0.10.1
HA Enabled         true

c:\vault>

It's using shamir for seal type, and no keys are created on the HSM.

Any ideas what I'm missing? I've gone through vault init - and vault uneal - everything looks to be working except that it's not using the HSM.

Thanks,

Rob

[Jason Martin]

On Tue, May 01, 2018 at 11:26:13AM -0700, Rob Clatterbuck wrote:
> I may be missing something very simple, but I'm not able to find any guides
> or walkthroughs for configuring an HSM (SafeNet Luna SA) as a pksc11 seal
> in Windows.

HSM unsealing is one of the Vault Premium features; is that what
you running?

https://www.vaultproject.io/docs/enterprise/hsm/index.html

-Jason Martin

[Rob Clatterbuck]

Thanks for the pointer - it looks like I was not using the right version.

I tried signing up for the demo of the premium version, downloaded the binary from that email, and loaded the license file that was sent.

The demo license seems to be for 30 minutes rather than 30 days - and when trying to launch it, it says I need an HSM binary.

c:\vault>vault server -dev
….

2018-05-02T10:34:35.208-0400 [WARN ] core.licensing: core: licensing warning: ex
piration_time="2018-05-02 11:03:35 -0400 EDT" time_left=29m0s

….

c:\vault>vault server -config VaultConfig.txt
WARNING! mlock is not supported on this system! An mlockall(2)-like syscall to
prevent memory from being swapped to disk is not supported on this system. For
better security, only run Vault on systems where this call is supported. If
you are running Vault in a Docker container, provide the IPC_LOCK cap to the
container.

Error parsing Seal configuration: Seal type 'pkcs11' requires the Vault Enterpri
se HSM binary

c:\vault>

[Jeff Mitchell]

Hi there,

There is a separate binary required for HSM support. Please get in contact through https://www.hashicorp.com/go/vault-enterprise if you would like to get a demo or evaluation of the HSM version. Also please note that at this time only linux/amd64 is supported for HSM integration.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/85e97e92-260e-4244-bbf8-3e0ac4ffe224%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Rob Clatterbuck]

Thanks - I hadn't seen these details anywhere online.

I'll configure a Linux system and reach out to support for the missing files.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Rob Clatterbuck]

I've been emailing 2 people at HashiCorp but still no luck with getting the HSM Binary.

I've reconfigured my setup to a Linux 64bit server, with the eval version of Vault Premium and am back to the point of the error message "Error parsing Seal configuration: Seal type 'pkcs11' requires the Vault Enterprise HSM binary".

Any suggestions for other contacts that may be able to help with this?

Thanks,

Rob

[leons...@gmail.com]

Hi Rob,

I'm running into the same problem now - trying to configure vault with the PKCS11 seal and the eval version of Vault Enterprise. Did you ever manage to resolve your issue?

Leon

[Jeff Mitchell]

Hi Leon,

Are you evaluating the normal or HSM binary?

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c1609644-8b1b-419a-a970-e3ce32c01c28%40googlegroups.com.

[Leon Sheldon]

Hi Jeff,

Thanks for the quick reply! Maybe that is my issue - I did not know there was a specific HSM binary. I went to https://www.hashicorp.com/products/vault/trial and downloaded from there. `vault --version` gives me: `Vault v0.11.0+ent ('0d2e728cd3efbc58b7669a04c0c3b152982e6ae4')`

Leon

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEY%3D3Gtjs%3DT7izcVGQ5gktYHo9v_-EByQZE%2Bf5d3D%2BNzg%40mail.gmail.com.