Unable to seal migrate autoseal to autoseal

gkiran.ch · October 5, 2021, 3:16pm

I am using vault 1.82 enterprise hsm package. I am able to integrate with HSM using pkcs11

I try to seal migrate from one masterkey to another master key in the same HSM

I have shutdown vault app
i have used disabled = “true” in the first code block and used new AES keys in the second code block
when i try to start vault, it gives below error message; i have tried to change the slot number but no luck.

[ec2-user@ip-172-31-20-118 ~]$ ./vault server -config=vault.hcl -log-level=debug
Error parsing Seal configuration: error creating HSM context: error initializing PKCS#11 library: pkcs11: 0x191: CKR_CRYPTOKI_ALREADY_INITIALIZED
2021-10-05T14:58:33.032Z [INFO] proxy environment: http_proxy= https_proxy= no_proxy=

aram · October 5, 2021, 3:28pm

I have never worked with an HSM but I also have never seen any documentation on it being able to be migrated.

For migration you need two new block, a pkcs11_from and pkcs11_to blocks that you can pass in so vault knows what it copies from and to. I have not seen anything like that in the documentation.

See this for storage … so you would need something similar for pcks blocks:

mikegreen · October 5, 2021, 3:30pm

File a support ticket… HSM is complicated.

Topic		Replies	Views
Error in Auto unsealing with HSM Vault vault	3	616	July 13, 2021
Auto-unseal with multiple HSM backends Vault	3	583	July 13, 2021
Vault migration seal fail Vault	1	277	July 15, 2023
Failing to migrate from Consul to integrated storage Vault	7	1023	January 31, 2021
Error parsing Seal configuration: KMS type 'pkcs11' requires the Vault Enterprise HSM binary Vault	2	609	December 1, 2022

Unable to seal migrate autoseal to autoseal

Related topics