# CLI

{% hint style="info" %}

### Notes

* All commands support the [global HTTP](#global-http-options) and [output](#output-options) options.
* The `@values.json` syntax means the file is read and its contents are used as the request body.
* Timestamps are typically UNIX epoch seconds.
* For security, avoid using `-tls-skip-verify` in production.

For more information, use the **`--help`** flag with any subcommand.
{% endhint %}

vHSM CLI is a special helper program with two use cases.&#x20;

* when running on the client computer it is a command line interface to interact with Vault and Nitride.&#x20;
* &#x20;when running in an enclave it acts like an agent (sometimes, we refer to as enclaivelet) between the workload, the platform security processor of the computer or cloud it is running on, and the vHSM attestation verification service Nitride. &#x20;

vHSM CLI handles all these different types of locks and keys so your program doesn't have to worry about which one it's dealing with. Irrespective of the underlying platform and attestation [technology](https://docs.enclaive.cloud/confidential-cloud/confidential-computing/hardware-secure-enclave), it implements the protocol variants and issues a certificate is in JSON format. For more information, see  [attestation examples](/nitride/documentation/concepts/attestation.md#attestation-report).

## Usage

The command line follows the general syntax:

```
vhsm nitride [command] <subcommand> -Option
```

### Command

| Command       | Description                                                 |
| ------------- | ----------------------------------------------------------- |
| `init`        | Set up and initialize nitride                               |
| `identity`    | Manage workload identities                                  |
| `policy`      | Manage attestation verification claims                      |
| `attestation` | Manage attestations and reports                             |
| `annotation`  | Manage human-readable mappings of attestation claims        |
| `totp`        | Manage time-based One-time Password for attestation updates |

## Command Options

| Flag     | Description                         |
| -------- | ----------------------------------- |
| `-mount` | Specify mount path (default: ratls) |

### Global Options

| Flag                  | Description                                                            | System Variable           |
| --------------------- | ---------------------------------------------------------------------- | ------------------------- |
| `-address`            | Address of the vHSM server (default: `https://127.0.0.1:8200`)         | `VAULT_ADDR`              |
| `-agent-address`      | Address of the Agent                                                   | `VAULT_AGENT_ADDR`        |
| `-ca-cert`            | Path to a PEM-encoded CA certificate file                              | `VAULT_CACERT`            |
| `-ca-path`            | Path to a directory of PEM-encoded CA certificates                     | `VAULT_CAPATH`            |
| `-client-cert`        | Path to a PEM-encoded client certificate for TLS                       | `VAULT_CLIENT_CERT`       |
| `-client-key`         | Path to a PEM-encoded private key for TLS                              | `VAULT_CLIENT_KEY`        |
| `-disable-redirects`  | Disable following HTTP redirects (default: false)                      | `VAULT_DISABLE_REDIRECTS` |
| `-header`             | Add custom HTTP header(s) (cannot start with `X-Vault-`)               |                           |
| `-mfa`                | Supply MFA credentials as part of `X-Vault-MFA` header                 | `VAULT_MFA`               |
| `-namespace`, `-ns`   | Namespace to use for the command                                       | `VAULT_NAMESPACE`         |
| `-non-interactive`    | Prevents CLI from prompting for input                                  |                           |
| `-output-curl-string` | Print equivalent cURL command instead of executing                     |                           |
| `-output-policy`      | Print example HCL policy required for the command instead of executing |                           |
| `-policy-override`    | Override a Sentinel policy with soft-mandatory enforcement             |                           |
| `-tls-server-name`    | SNI host for TLS connections                                           | `VAULT_TLS_SERVER_NAME`   |
| `-tls-skip-verify`    | Skip TLS certificate verification (not recommended)                    | `VAULT_SKIP_VERIFY`       |
| `-unlock-key`         | Key to unlock a namespace API lock                                     |                           |
| `-wrap-ttl`           | Wrap response in a cubbyhole token with the requested TTL              | `VAULT_WRAP_TTL`          |

## Output Options

| Flag      | Description                                                                                         | Env Variable   |
| --------- | --------------------------------------------------------------------------------------------------- | -------------- |
| `-format` | Output format: `table`, `json`, `yaml`, `pretty`, or `raw` (for `vhsm read` only). Default: `table` | `VAULT_FORMAT` |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/nitride/cli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.