Minimum PKCS11 functions exposed by HSM?

Is there a specification of the minimal functionality that a HSM must implement and expose via its PKCS#11 interface e.g. its provider library for Unseal/Unwrap of Vault (plus other operations that Vault is able to use with an HSM, eventually)?

The only information I was able to find so far is this:
PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.

Also, I looked at Vault’s repo, but did not yet find further details on this, nor source code, which is likely reserved for the Enterprise version only.

1 Like

The source code for HSM integration is not open source, unfortunately. If you are just playing around with the short lived license of Vault Enterprise + HSM, then have a look at this repo I created. It allows you to run Vault Enterprise + HSM with SoftHSM2.

If you crank up SoftHSM2 debug level, you will see every call Vault makes to it.

1 Like

Previously I have successfully integrated vault with HSM which was password enabled and was up and running.
I am at remote location connected to network , trying to start Vault Server integrated with Ped enabled HSM device.
I have added HSM configurations in vault Config file but didn’t know what should I set pin inorder to access HSM from Vault server.
I have tried entering admin pwd, Crypto officer pin and ped device attached to the HSM but still I am unable to start vault.

error parsing Seal configuration: error fetching session to test HSM key configuration: error logging in to HSM: pkcs11: 0x80000028
2021-07-13T05:39:54.367-0400 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""

“pkcs11”: {
“generate_key”: “true”,
“hmac_key_label”: “HashiCorp_hmac”,
“key_label”: “HashiCorp”,
“lib”: “/opt/vault/hsm/”,
“pin”: “xxxxx”,
“slot”: “1”
Any suggestions please!..