From: David Vašek <david.vasek@nic.cz>
Date: Thu, 16 Oct 2025 13:24:35 +0000 (+0200)
Subject: WIP doc/reference: in keystore section, note that OS privileges may need to be set
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fdoc_hsm_access;p=thirdparty%2Fknot-dns.git

WIP doc/reference: in keystore section, note that OS privileges may need to be set
---

diff --git a/doc/reference.rst b/doc/reference.rst
index 441c32116e..06ce2765bb 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -1446,6 +1446,11 @@ The PKCS #11 URI Scheme is defined in :rfc:`7512`.
 
      "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
 
+   If access to a PKCS #11 device (HSM) is controlled by the OS, such as by
+   ``polkit`` utility, and :doc:`knotd<man_knotd>` and related utilites
+   (:doc:`keymgr<man_keymgr>`, :doc:`kzonesign<man_kzonesign>`) are run
+   as a non-root user, the privilege control must be configured accordingly in the OS.
+
 *Default:* :ref:`kasp-db<database_kasp-db>`\ ``/keys``
 
 .. _keystore_ksk-only: