scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 11:08:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add known issue for hsm duplicate (#28983)

Browse Source 
* Add known issue for hsm duplicate

* update wording

* swap:

* more clarification

* clean up

* clean up

* clean up

* reorder

* reorder

* link
This commit is contained in:
Luis (LT) Carbonell
2024-11-25 09:57:23 -05:00
committed by GitHub
parent 3796b7c90f
commit d23892d803
5 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
website/content/docs/upgrading/upgrade-to-1.16.x.mdx
View File

@@ -231,4 +231,5 @@ more details, and information about opt-out.
@include 'known-issues/manual-entity-merge-does-not-persist.mdx' @include 'known-issues/manual-entity-merge-does-not-persist.mdx'
@include 'known-issues/duplicate-hsm-key.mdx'

2
website/content/docs/upgrading/upgrade-to-1.17.x.mdx
View File

@@ -203,3 +203,5 @@ more details, and information about opt-out.
@include 'known-issues/aws-auth-external-id.mdx' @include 'known-issues/aws-auth-external-id.mdx'
@include 'known-issues/sync-activation-flags-cache-not-updated.mdx' @include 'known-issues/sync-activation-flags-cache-not-updated.mdx'
@include 'known-issues/duplicate-hsm-key.mdx'

4
website/content/docs/upgrading/upgrade-to-1.18.x.mdx
View File

@@ -138,3 +138,7 @@ reports if manual reporting is preferred.
See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for See the main page for [Vault product usage metrics reporting](/vault/docs/enterprise/license/product-usage-reporting) for
more details, and information about opt-out. more details, and information about opt-out.
## Known issues and workarounds
@include 'known-issues/duplicate-hsm-key.mdx'

3
website/content/docs/upgrading/upgrade-to-1.19.x.mdx
View File

@@ -42,3 +42,6 @@ based on the table below.
| CE | true | any value other than sha2-512 | An error is returned | Pure Ed25519 | | CE | true | any value other than sha2-512 | An error is returned | Pure Ed25519 |
| CE | true | sha2-512 | An error is returned (not supported on CE) | Pure Ed25519 | | CE | true | sha2-512 | An error is returned (not supported on CE) | Pure Ed25519 |
## Known issues and workarounds
@include 'known-issues/duplicate-hsm-key.mdx'

13
website/content/partials/known-issues/duplicate-hsm-key.mdx Normal file
View File

@@ -0,0 +1,13 @@
### Seal/Seal Wrapped - Duplicate HSM Keys
#### Affected Versions
- All versions that support migration from Shamir to HSM-backed unseal/seal wrap in HSM-HA configurations.
#### Issue
During a migration from Shamir to an HSM-backed unseal configuration with HSM - High Availability (HA), duplicate HSM keys may be created.
These issues can occur even after a seal migration to HSM that initially appeared successful. The root cause is under investigation, with potential links to key handling during HA configuration or migration processes.
- Unseal failures: Nodes may fail to unseal after a restart, with errors such as CKR_DATA_INVALID.
- Duplicate HSM keys: These may be created, resulting in intermittent read failures with errors such as CKR_SIGNATURE_INVALID and CKR_KEY_HANDLE_INVALID for any seal wrapped value - see /vault/docs/enterprise/sealwrap#wrapped-parameters.
#### Workaround
As a workaround, always run Vault with `generate_key = false`, creating the required keys within the HSM manually during the setup process.