From 1196b8eda80582d5d29ecab54228c7daaf8bc404 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Wed, 13 Nov 2024 11:35:29 -0500 Subject: [PATCH] Add notes within the documentation about the generate_key flag (#28898) --- website/content/api-docs/system/managed-keys.mdx | 3 +++ website/content/docs/configuration/seal/pkcs11.mdx | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/website/content/api-docs/system/managed-keys.mdx b/website/content/api-docs/system/managed-keys.mdx index d0ba49ffc8..58df16662e 100644 --- a/website/content/api-docs/system/managed-keys.mdx +++ b/website/content/api-docs/system/managed-keys.mdx @@ -85,6 +85,9 @@ $ curl \ - `allow_generate_key` `(string: "false")` - If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend. + ~> **NOTE**: Once the initial key creation has occurred, it is advisable to disable this flag to prevent any + unintended key creation in the future. + - `allow_replace_key` `(string: "false")` - Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists. diff --git a/website/content/docs/configuration/seal/pkcs11.mdx b/website/content/docs/configuration/seal/pkcs11.mdx index 69affec7f5..67371ae4a0 100644 --- a/website/content/docs/configuration/seal/pkcs11.mdx +++ b/website/content/docs/configuration/seal/pkcs11.mdx @@ -156,6 +156,10 @@ These parameters apply to the `seal` stanza in the Vault configuration file: circumstances, such as if proprietary vendor extensions are required to create keys of a suitable type. + ~> **NOTE**: Once the initial key creation has occurred post cluster + initialization, it is advisable to disable this flag to prevent any + unintended key creation in the future. + - `force_rw_session` `(string: "false")`: Force all operations to open up a read-write session to the HSM. This is a boolean expressed as a string (e.g. `"true"`). May also be specified by the `VAULT_HSM_FORCE_RW_SESSION` environment