-
Notifications
You must be signed in to change notification settings - Fork 12
PKCS#11 FAQs
Alessio Buraggina edited this page Apr 14, 2023
·
3 revisions
- Documentation: https://cloud.google.com/kms/docs/reference/pkcs11-library
- Additional technical documentation can be found in the Github user guide
| Issues | Guidelines |
|---|---|
| Cannot load configuration: environment variable KMS_PKCS11_CONFIG is not set | You may need to set the KMS_PKCS11_CONFIG environment variable, so that the library is able to locate Cloud KMS resources. You will need to have a valid YAML configuration file to point to. |
| Error occurred when fetching oauth2 token. | This error indicates issues with authentication, see the Authentication and authorization section of the user guide. |
| Key $KEY_NAME is not loadable due to unsupported purpose | This error comes up when trying to use a key with an unsupported purpose, or when an unsupported key is part of the keyring that is specified in your YAML configuration file. For the latter scenario, the error is just a warning and can be ignored, since it does not prevent the library from functioning correctly. See the Limitations section of the user guide. |
| Key $KEY_NAME is not loadable due to unsupported protection level | This error comes up when trying to use a key with an unsupported protection level (the library only supports HSM keys), or when an unsupported key is part of the keyring that is specified in your YAML configuration file. For the latter scenario, the error is just a warning and can be ignored, since it does not prevent the library from functioning correctly. See the Limitations section of the user guide. We are not planning to expand support to other protection levels at this time. |
| PKCS11 function $FUNCTION failed: rv = CKR_MECHANISM_INVALID (0x70) | This error comes up when trying to use a mechanism that is not currently supported by the library. See the user guide for a full list of supported mechanisms. |
| PKCS11 function $FUNCTION failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54) | This error comes up when trying to use a function that is not currently supported by the library. See the user guide for a full list of supported functions. |
To aid troubleshooting, you can specify a custom log directory where
application logs should be written. This is done by setting the log_directory
field in the YAML configuration used by the library, eg. log_directory: "/var/log/kmsp11". See the
configuration section
of the user guide for more info.
As an additional debugging step, gRPC (used by the library) also allows users to enable additional levels of logging through a range of environment variables. See the gRPC troubleshooting guide for more info.
- To load a different CryptoKeyVersion using URIs, see the answer to Issue #12