CLI

This guide helps you initialize and configure Nitride using the vhsm CLI. It covers authentication, workload identity management, attestation policies, and namespaced token support.

Notes

  • All commands support the global HTTP and output options.

  • The @values.json syntax means the file is read and its contents are used as the request body.

  • Timestamps are typically UNIX epoch seconds.

  • For security, avoid using -tls-skip-verify in production.

For more information, use the --help flag with any subcommand.

vHSM CLI is a special helper program with two use cases.

  • when running on the client computer it is a command line interface to interact with Vault and Nitride.

  • when running in an enclave it acts like an agent (sometimes, we refer to as enclaivelet) between the workload, the platform security processor of the computer or cloud it is running on, and the vHSM attestation verification service Nitride.

vHSM CLI handles all these different types of locks and keys so your program doesn't have to worry about which one it's dealing with. Irrespective of the underlying platform and attestation technology, it implements the protocol variants and issues a certificate is in JSON format. For more information, see attestation examples.

Usage

The command line follows the general syntax:

vhsm nitride [command] <subcommand> -Option

Command

Command
Description

init

Set up and initialize nitride

identity

Manage workload identities

policy

Manage attestation verification claims

attestation

Manage attestations and reports

annotation

Manage human-readable mappings of attestation claims

totp

Manage time-based One-time Password for attestation updates

Command Options

Flag
Description

-mount

Specify mount path (default: ratls)

Global Options

Flag
Description
System Variable

-address

Address of the vHSM server (default: https://127.0.0.1:8200)

VAULT_ADDR

-agent-address

Address of the Agent

VAULT_AGENT_ADDR

-ca-cert

Path to a PEM-encoded CA certificate file

VAULT_CACERT

-ca-path

Path to a directory of PEM-encoded CA certificates

VAULT_CAPATH

-client-cert

Path to a PEM-encoded client certificate for TLS

VAULT_CLIENT_CERT

-client-key

Path to a PEM-encoded private key for TLS

VAULT_CLIENT_KEY

-disable-redirects

Disable following HTTP redirects (default: false)

VAULT_DISABLE_REDIRECTS

-header

Add custom HTTP header(s) (cannot start with X-Vault-)

-mfa

Supply MFA credentials as part of X-Vault-MFA header

VAULT_MFA

-namespace, -ns

Namespace to use for the command

VAULT_NAMESPACE

-non-interactive

Prevents CLI from prompting for input

-output-curl-string

Print equivalent cURL command instead of executing

-output-policy

Print example HCL policy required for the command instead of executing

-policy-override

Override a Sentinel policy with soft-mandatory enforcement

-tls-server-name

SNI host for TLS connections

VAULT_TLS_SERVER_NAME

-tls-skip-verify

Skip TLS certificate verification (not recommended)

VAULT_SKIP_VERIFY

-unlock-key

Key to unlock a namespace API lock

-wrap-ttl

Wrap response in a cubbyhole token with the requested TTL

VAULT_WRAP_TTL

Output Options

Flag
Description
Env Variable

-format

Output format: table, json, yaml, pretty, or raw (for vhsm read only). Default: table

VAULT_FORMAT

Last updated

Was this helpful?