backport of commit 1196b8e (#28899)

Co-authored-by: Steven Clark <[email protected]>
hashicorp · Nov 13, 2024 · 72b88ef · 72b88ef
1 parent e756a3c
commit 72b88ef
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/website/content/api-docs/system/managed-keys.mdx b/website/content/api-docs/system/managed-keys.mdx
@@ -85,6 +85,9 @@ $ curl \
 - `allow_generate_key` `(string: "false")` - If no existing key can be found in the referenced backend, instructs
   Vault to generate a key within the backend.
 
+  ~> **NOTE**: Once the initial key creation has occurred, it is advisable to disable this flag to prevent any
+  unintended key creation in the future.
+
 - `allow_replace_key` `(string: "false")` - Controls the ability for Vault to replace through generation or importing
   a key into the configured backend even if a key is present, if set to false those operations are forbidden
   if a key exists.

diff --git a/website/content/docs/configuration/seal/pkcs11.mdx b/website/content/docs/configuration/seal/pkcs11.mdx
@@ -156,6 +156,10 @@ These parameters apply to the `seal` stanza in the Vault configuration file:
   circumstances, such as if proprietary vendor extensions are required to
   create keys of a suitable type.
 
+  ~> **NOTE**: Once the initial key creation has occurred post cluster
+  initialization, it is advisable to disable this flag to prevent any
+  unintended key creation in the future.
+
 - `force_rw_session` `(string: "false")`: Force all operations to open up
   a read-write session to the HSM. This is a boolean expressed as a string (e.g.
   `"true"`). May also be specified by the `VAULT_HSM_FORCE_RW_SESSION` environment