Unable to seal migrate autoseal to autoseal

I am using vault 1.82 enterprise hsm package. I am able to integrate with HSM using pkcs11

I try to seal migrate from one masterkey to another master key in the same HSM

I have shutdown vault app
i have used disabled = “true” in the first code block and used new AES keys in the second code block
when i try to start vault, it gives below error message; i have tried to change the slot number but no luck.

[ec2-user@ip-172-31-20-118 ~]$ ./vault server -config=vault.hcl -log-level=debug
Error parsing Seal configuration: error creating HSM context: error initializing PKCS#11 library: pkcs11: 0x191: CKR_CRYPTOKI_ALREADY_INITIALIZED
2021-10-05T14:58:33.032Z [INFO] proxy environment: http_proxy= https_proxy= no_proxy=

I have never worked with an HSM but I also have never seen any documentation on it being able to be migrated.

For migration you need two new block, a pkcs11_from and pkcs11_to blocks that you can pass in so vault knows what it copies from and to. I have not seen anything like that in the documentation.

See this for storage … so you would need something similar for pcks blocks:

1 Like

File a support ticket… HSM is complicated.