RSA key pair generation fails when offloading Key management to external HSM using Managed Keys

Troubleshooting

Problem

Creating managed keys to offload Key management to external HSM key generation may fail with the following error:

{"@level":"error","@message":"Key generation for managed key XXXX failed: no supported rsa key generation mechanisms found","@module":"managedKeyRegistry","@timestamp":"2022-08-17T11:41:55.938617+02:00"}

Prerequisites

Vault version 1.10+
HSM with FIPS enabled

Cause

After invoking the vault sys/managed-key/... API, the responses noted above could be observed. The failure occurs due to incompatibility between Vault's algorithm and the HSM not supporting the required RSA method. As stated in the FIPS enabled Luna HSM guide:

> only RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes

The methods available to Luna HSM are limited to:

CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN

However, Vault only supports:

CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_RSA_PKCS_KEY_PAIR_GEN

Solutions

Disable FIPS mode and retry key generation
Luna HSM has a Remap Mechanism to circumvent this limitation

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSLC9Y2","label":"IBM Vault Self-Managed"},"ARM Category":[{"code":"","label":""}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Historical Number

9469793672979

Was this topic helpful?

Document Information

Modified date:
16 March 2026

UID

ibm17264456

Tips