Auto-unseal with multiple HSM backends

Is it possible to configure Vault auto-unseal with multiple HSM backends? This is useful for cases where a subset of the HSM backends may be unavailable, as long as a threshold of the HSM backends are available, the Vault server can auto-unseal itself.

Hi Shang,

It’s not possible at this time. There is a github issue tracking this feature request: https://github.com/hashicorp/vault/issues/6046

1 Like

I am looking at a similar problem… My HSM (nCipher XConnect something something) form a HSM cluster. I’m hoping that pointing Vault to some kind of address provided by the HSM cluster will do.

Testing with bare metal HSM is hard and takes forever :frowning: