mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 15:11:07 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
63 lines
2.2 KiB
Plaintext
63 lines
2.2 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: kms_library - Configuration
|
|
description: >-
|
|
Configure the kms_library stanza to customize node-specific access to KMS
|
|
access libraries
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# `kms_library` stanza
|
|
|
|
The `kms_library` stanza isolates platform specific configuration for managed keys.
|
|
It defines logical names that are referenced within an API configuration keeping cluster
|
|
and node specific details separated along with deployment concerns for each.
|
|
|
|
At the moment managed keys are only available as a feature set within Vault Enterprise HSM edition.
|
|
|
|
## Requirements
|
|
|
|
The following software packages are required for Vault Enterprise HSM:
|
|
|
|
- PKCS#11 compatible HSM integration library. Vault targets version 2.2 or
|
|
higher of PKCS#11. Depending on any given HSM, some functions (such as key
|
|
generation) may have to be performed manually.
|
|
- The [GNU libltdl
|
|
library](https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html)
|
|
— ensure that it is installed for the correct architecture of your servers
|
|
|
|
## Configuration
|
|
|
|
Multiple kms_library stanza's can be defined with the only limitation that the value for the
|
|
name key needs to be a unique value across all the stanza definitions in a case-insensitive
|
|
manner.
|
|
|
|
The type argument only supports "pkcs11" at the moment.
|
|
|
|
Example `kms_library` stanza:
|
|
|
|
```hcl
|
|
kms_library [TYPE] {
|
|
name = "<logical name>"
|
|
# ...
|
|
}
|
|
```
|
|
|
|
## `pkcs11` parameters
|
|
|
|
These parameters apply to the `kms_library` stanza of type `pkcs11` in the Vault configuration file:
|
|
|
|
- `name` `(string: <required>)`: The logical name to be referenced by a managed key
|
|
- `library` `(string: <required>)`: The path to the PKCS#11 library shared object file.
|
|
|
|
For example:
|
|
|
|
```hcl
|
|
kms_library "pkcs11" {
|
|
name = "hsm1"
|
|
library = "/usr/lib/Cryptoki.so"
|
|
}
|
|
```
|