Add known issue for hsm duplicate (#28983)

* Add known issue for hsm duplicate * update wording * swap: * more clarification * clean up * clean up * clean up * reorder * reorder * link
2025-10-29 09:42:25 +00:00 · 2024-11-25 09:57:23 -05:00
parent 3796b7c90f
commit d23892d803
5 changed files with 23 additions and 0 deletions
--- a/website/content/docs/upgrading/upgrade-to-1.16.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.16.x.mdx
@@ -231,4 +231,5 @@ more details, and information about opt-out.

@include 'known-issues/manual-entity-merge-does-not-persist.mdx'

+@include 'known-issues/duplicate-hsm-key.mdx'

--- a/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.17.x.mdx
@@ -203,3 +203,5 @@ more details, and information about opt-out.
@include 'known-issues/aws-auth-external-id.mdx'

@include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
+
+@include 'known-issues/duplicate-hsm-key.mdx'
--- a/website/content/docs/upgrading/upgrade-to-1.18.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.18.x.mdx
@@ -138,3 +138,7 @@ reports if manual reporting is preferred.

 See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for
 more details, and information about opt-out.
+
+## Known issues and workarounds
+
+@include 'known-issues/duplicate-hsm-key.mdx'
--- a/website/content/docs/upgrading/upgrade-to-1.19.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.19.x.mdx
@@ -42,3 +42,6 @@ based on the table below.
 | CE            | true      | any value other than sha2-512 | An error is returned                       | Pure Ed25519                      |
 | CE            | true      | sha2-512                      | An error is returned (not supported on CE) | Pure Ed25519                      |

+## Known issues and workarounds
+
+@include 'known-issues/duplicate-hsm-key.mdx'
--- a/website/content/partials/known-issues/duplicate-hsm-key.mdx
+++ b/website/content/partials/known-issues/duplicate-hsm-key.mdx
@@ -0,0 +1,13 @@
+### Seal/Seal Wrapped - Duplicate HSM Keys
+
+#### Affected Versions
+- All versions that support migration from Shamir to HSM-backed unseal/seal wrap in HSM-HA configurations.
+
+#### Issue
+During a migration from Shamir to an HSM-backed unseal configuration with HSM - High Availability (HA), duplicate HSM keys may be created.
+These issues can occur even after a seal migration to HSM that initially appeared successful. The root cause is under investigation, with potential links to key handling during HA configuration or migration processes.
+- Unseal failures: Nodes may fail to unseal after a restart, with errors such as CKR_DATA_INVALID.
+- Duplicate HSM keys: These may be created, resulting in intermittent read failures with errors such as CKR_SIGNATURE_INVALID and CKR_KEY_HANDLE_INVALID for any seal wrapped value - see /vault/docs/enterprise/sealwrap#wrapped-parameters.
+
+#### Workaround
+As a workaround, always run Vault with `generate_key = false`, creating the required keys within the HSM manually during the setup process.