Hashicorp Vault Auto-Unseal using Builder Vault
This page is a tutorial that shows how the Builder Vault PKCS #11 library can be used to auto-unseal Hashicorp Vault.
Prerequisites:
- An instance of Builder Vault
- The file
pkcs11.toml
, protected with a user-defined PIN - The
pkcs11.amd64.so
library - A Hashicorp Vault Entreprise license
- The Hashicorp Vault entreprise+hsm binary. This can be obtained from
https://releases.hashicorp.com/vault/<version>+ent.hsm/
.
Configure Hashicorp Vault to run with Blockdaemon Builder Vault
Create the vault_config.hcl
and add the following contents:
storage "file" {
path = "/opt/vault/vault-data"
}
disable_mlock = true
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
seal "pkcs11" {
lib = "/opt/blockdaemon/tsm-pkcs11.amd64.so"
slot = "0"
pin = <user-defined PIN>
key_label = "bv-demo"
generate_key = "true"
mechanism = 0x1087
}
Note that currently the Builder Vault PKCS#11 interface only supports the CKM_AES_GCM
(0x1087) mechanism.
Set the following environment variables:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_LICENSE_PATH="<path_to_your_license.hclic"
Then start the Hashicorp Vault with:
./vault server -config ./vault_config.hcl
Initialize the Hashicorp Vault with:
./vault operator init -recovery-shares=1 -recovery-threshold=1
Note the Initial Root token. Check the Hashicorp Vault status to see that it has been initialized and unsealed:
$ vault status
Key Value
--- -----
Seal Type pkcs11
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 1
Threshold 1
Version 1.17.5+ent.hsm
Build Date 2024-08-30T15:55:00Z
Storage Type file
Cluster Name vault-cluster-8e18e2e5
Cluster ID 9d6703ad-41e3-0c37-7693-bd6940baf8a2
HA Enabled false
Login with into the Hashicorp Vault using your Initial Root token:
$ vault login hvs.lv1zu1GiK3BDcGkfFOKTSc25
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.lv1zu1GiK3BDcGkfFOKTSc25
token_accessor 0JJ0gCWmDbqR3N0Yq02cW8uz
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
Updated 18 days ago