CLI
This guide helps you initialize and configure Nitride using the vhsm CLI. It covers authentication, workload identity management, attestation policies, and namespaced token support.
Notes
All commands support the global HTTP and output options.
The
@values.json
syntax means the file is read and its contents are used as the request body.Timestamps are typically UNIX epoch seconds.
For security, avoid using
-tls-skip-verify
in production.
For more information, use the --help
flag with any subcommand.
vHSM CLI is a special helper program with two use cases.
when running on the client computer it is a command line interface to interact with Vault and Nitride.
when running in an enclave it acts like an agent (sometimes, we refer to as enclaivelet) between the workload, the platform security processor of the computer or cloud it is running on, and the vHSM attestation verification service Nitride.
vHSM CLI handles all these different types of locks and keys so your program doesn't have to worry about which one it's dealing with. Irrespective of the underlying platform and attestation technology, it implements the protocol variants and issues a certificate is in JSON format. For more information, see attestation examples.
Usage
The command line follows the general syntax:
vhsm nitride [command] <subcommand> -Option
Command
init
Set up and initialize nitride
identity
Manage workload identities
policy
Manage attestation verification claims
attestation
Manage attestations and reports
annotation
Manage human-readable mappings of attestation claims
totp
Manage time-based One-time Password for attestation updates
Command Options
-mount
Specify mount path (default: ratls)
Global Options
-address
Address of the vHSM server (default: https://127.0.0.1:8200
)
VAULT_ADDR
-agent-address
Address of the Agent
VAULT_AGENT_ADDR
-ca-cert
Path to a PEM-encoded CA certificate file
VAULT_CACERT
-ca-path
Path to a directory of PEM-encoded CA certificates
VAULT_CAPATH
-client-cert
Path to a PEM-encoded client certificate for TLS
VAULT_CLIENT_CERT
-client-key
Path to a PEM-encoded private key for TLS
VAULT_CLIENT_KEY
-disable-redirects
Disable following HTTP redirects (default: false)
VAULT_DISABLE_REDIRECTS
-header
Add custom HTTP header(s) (cannot start with X-Vault-
)
-mfa
Supply MFA credentials as part of X-Vault-MFA
header
VAULT_MFA
-namespace
, -ns
Namespace to use for the command
VAULT_NAMESPACE
-non-interactive
Prevents CLI from prompting for input
-output-curl-string
Print equivalent cURL command instead of executing
-output-policy
Print example HCL policy required for the command instead of executing
-policy-override
Override a Sentinel policy with soft-mandatory enforcement
-tls-server-name
SNI host for TLS connections
VAULT_TLS_SERVER_NAME
-tls-skip-verify
Skip TLS certificate verification (not recommended)
VAULT_SKIP_VERIFY
-unlock-key
Key to unlock a namespace API lock
-wrap-ttl
Wrap response in a cubbyhole token with the requested TTL
VAULT_WRAP_TTL
Output Options
-format
Output format: table
, json
, yaml
, pretty
, or raw
(for vhsm read
only). Default: table
VAULT_FORMAT
Last updated
Was this helpful?