This is a plugin for HashiCorp Vault that implements storing data objects into HSM devices using PKCS#11
It support multiple devices and uses a tree like structure to store objects.
At this stage its considered a MVP for storing data objects on a HSM.
- Download the plugin binary or compile it by using the Makefile
- Copy the binary to your
pluginsdirectory. - Enable the plugin globaly
$ vault write sys/plugins/catalog/database/pkcs11 \
sha256=<expected SHA256 Hex value of the plugin binary> \
command="myplugin"
- Mount the secrent engine
$ vault secrets enable pkcs11
Success! Enabled the pkcs11 secrets engine at: pkcs11/
- Configure the HSM device
$ vault write pkcs11/devices/my-device lib_path="/usr/lib/pkcs11/libsofthsm2.so" slot=229915468 pin="1234"
$ vault read pkcs11/devices/my-device
Key Value
--- -----
lib_path /usr/lib/pkcs11/libsofthsm2.so
pin 1234
slot 229915468
- Read/Write data to your HSM device
$ vault write pkcs11/devices/my-device/foo3 bar=foo
Success! Data written to: pkcs11/devices/my-device/foo3
$vault read pkcs11/devices/my-device/foo3 -format=json
{
"request_id": "3f2371a1-a0e5-b137-2edc-5cab18ee59c6",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"data": {
"bar": "foo"
}
},
"warnings": null
}
$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 229915468 --login --pin 1234 -O
Data object 2
label: 'vault_path=my-device/foo3'
application: 'HashiCorp Vault pkcs11 secret'
app_id: <empty>
flags: modifiable private
$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 229915468 --login --pin 1234 -r --label 'vault_path=my-device/foo3' --type data
{"bar":"foo"}⏎
- Add Leases to data objects
- Add other types of objects
- Add full testing coverage
- Add write/destroy-only objects
Mozilla Public License Version 2.0