WIP doc/reference: in keystore section, note that OS privileges may need to be set

author David Vašek <david.vasek@nic.cz>

Thu, 16 Oct 2025 13:24:35 +0000 (15:24 +0200)

committer David Vašek <david.vasek@nic.cz>

Thu, 16 Oct 2025 13:24:35 +0000 (15:24 +0200)
author David Vašek <david.vasek@nic.cz>
Thu, 16 Oct 2025 13:24:35 +0000 (15:24 +0200)
committer David Vašek <david.vasek@nic.cz>
Thu, 16 Oct 2025 13:24:35 +0000 (15:24 +0200)
diff --git a/doc/reference.rst b/doc/reference.rst

index 441c32116eeeb61edf201fbfa19577a0c90e5769..06ce2765bb9bc180eb27bf860178d4fe37715f74 100644 (file)
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1446,6 +1446,11 @@ The PKCS #11 URI Scheme is defined in :rfc:`7512`.
  
       "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
  
+   If access to a PKCS #11 device (HSM) is controlled by the OS, such as by
+   ``polkit`` utility, and :doc:`knotd<man_knotd>` and related utilites
+   (:doc:`keymgr<man_keymgr>`, :doc:`kzonesign<man_kzonesign>`) are run
+   as a non-root user, the privilege control must be configured accordingly in the OS.
+
  *Default:* :ref:`kasp-db<database_kasp-db>`\ ``/keys``
  
  .. _keystore_ksk-only:
author	David Vašek <david.vasek@nic.cz>
	Thu, 16 Oct 2025 13:24:35 +0000 (15:24 +0200)
committer	David Vašek <david.vasek@nic.cz>
	Thu, 16 Oct 2025 13:24:35 +0000 (15:24 +0200)