Is it possible to configure Vault auto-unseal with multiple HSM backends? This is useful for cases where a subset of the HSM backends may be unavailable, as long as a threshold of the HSM backends are available, the Vault server can auto-unseal itself.
It’s not possible at this time. There is a github issue tracking this feature request: https://github.com/hashicorp/vault/issues/6046
I am looking at a similar problem… My HSM (nCipher XConnect something something) form a HSM cluster. I’m hoping that pointing Vault to some kind of address provided by the HSM cluster will do.
Testing with bare metal HSM is hard and takes forever