Is there a specification of the minimal functionality that a HSM must implement and expose via its PKCS#11 interface e.g. its provider library for Unseal/Unwrap of Vault (plus other operations that Vault is able to use with an HSM, eventually)?
The only information I was able to find so far is this:
PKCS#11 compatible HSM integration library. Vault targets version 2.2 or higher of PKCS#11. Depending on any given HSM, some functions (such as key generation) may have to be performed manually.
Also, I looked at Vault’s repo, but did not yet find further details on this, nor source code, which is likely reserved for the Enterprise version only.
The source code for HSM integration is not open source, unfortunately. If you are just playing around with the short lived license of Vault Enterprise + HSM, then have a look at this repo I created. It allows you to run Vault Enterprise + HSM with SoftHSM2.
If you crank up SoftHSM2 debug level, you will see every call Vault makes to it.
Previously I have successfully integrated vault with HSM which was password enabled and was up and running.
I am at remote location connected to network , trying to start Vault Server integrated with Ped enabled HSM device.
I have added HSM configurations in vault Config file but didn’t know what should I set pin inorder to access HSM from Vault server.
I have tried entering admin pwd, Crypto officer pin and ped device attached to the HSM but still I am unable to start vault.
error parsing Seal configuration: error fetching session to test HSM key configuration: error logging in to HSM: pkcs11: 0x80000028
2021-07-13T05:39:54.367-0400 [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy=""
Any suggestions please!..