Is it possible to configure Vault auto-unseal with multiple HSM backends? This is useful for cases where a subset of the HSM backends may be unavailable, as long as a threshold of the HSM backends are available, the Vault server can auto-unseal itself.
Hi Shang,
It’s not possible at this time. There is a github issue tracking this feature request: https://github.com/hashicorp/vault/issues/6046
1 Like
I am looking at a similar problem… My HSM (nCipher XConnect something something) form a HSM cluster. I’m hoping that pointing Vault to some kind of address provided by the HSM cluster will do.
Testing with bare metal HSM is hard and takes forever 
Previously I have successfully integrated vault with HSM which was password enabled and was up and running.
I am at remote location connected to network , trying to start Vault Server integrated with Ped enabled HSM device.
I have added HSM configurations in vault Config file but didn’t know what should I set pin inorder to access HSM from Vault server.
I have tried entering admin pwd, Crypto officer pin and ped device attached to the HSM but still I am unable to start vault.
error parsing Seal configuration: error fetching session to test HSM key configuration: error logging in to HSM: pkcs11: 0x80000028
2021-07-13T05:39:54.367-0400 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
config:
{
“pkcs11”: {
“generate_key”: “true”,
“hmac_key_label”: “HashiCorp_hmac”,
“key_label”: “HashiCorp”,
“lib”: “/opt/vault/hsm/libCryptoki2_64.so”,
“pin”: “xxxxx”,
“slot”: “1”
}
}
]
Any Suggestions please!..