# CLI {% hint style="info" %} ### Notes * All commands support the [global HTTP](#global-http-options) and [output](#output-options) options. * The `@values.json` syntax means the file is read and its contents are used as the request body. * Timestamps are typically UNIX epoch seconds. * For security, avoid using `-tls-skip-verify` in production. For more information, use the **`--help`** flag with any subcommand. {% endhint %} vHSM CLI is a special helper program with two use cases. * when running on the client computer it is a command line interface to interact with Vault and Nitride. * when running in an enclave it acts like an agent (sometimes, we refer to as enclaivelet) between the workload, the platform security processor of the computer or cloud it is running on, and the vHSM attestation verification service Nitride. vHSM CLI handles all these different types of locks and keys so your program doesn't have to worry about which one it's dealing with. Irrespective of the underlying platform and attestation [technology](https://app.gitbook.com/s/etGMTZNbCMxe3nxgUCdF/confidential-computing/hardware-secure-enclave), it implements the protocol variants and issues a certificate is in JSON format. For more information, see [attestation examples](https://docs.enclaive.cloud/nitride/documentation/concepts/attestation#attestation-report). ## Usage The command line follows the general syntax: ``` vhsm nitride [command] -Option ``` ### Command | Command | Description | | ------------- | ----------------------------------------------------------- | | `init` | Set up and initialize nitride | | `identity` | Manage workload identities | | `policy` | Manage attestation verification claims | | `attestation` | Manage attestations and reports | | `annotation` | Manage human-readable mappings of attestation claims | | `totp` | Manage time-based One-time Password for attestation updates | ## Command Options | Flag | Description | | -------- | ----------------------------------- | | `-mount` | Specify mount path (default: ratls) | ### Global Options | Flag | Description | System Variable | | --------------------- | ---------------------------------------------------------------------- | ------------------------- | | `-address` | Address of the vHSM server (default: `https://127.0.0.1:8200`) | `VAULT_ADDR` | | `-agent-address` | Address of the Agent | `VAULT_AGENT_ADDR` | | `-ca-cert` | Path to a PEM-encoded CA certificate file | `VAULT_CACERT` | | `-ca-path` | Path to a directory of PEM-encoded CA certificates | `VAULT_CAPATH` | | `-client-cert` | Path to a PEM-encoded client certificate for TLS | `VAULT_CLIENT_CERT` | | `-client-key` | Path to a PEM-encoded private key for TLS | `VAULT_CLIENT_KEY` | | `-disable-redirects` | Disable following HTTP redirects (default: false) | `VAULT_DISABLE_REDIRECTS` | | `-header` | Add custom HTTP header(s) (cannot start with `X-Vault-`) | | | `-mfa` | Supply MFA credentials as part of `X-Vault-MFA` header | `VAULT_MFA` | | `-namespace`, `-ns` | Namespace to use for the command | `VAULT_NAMESPACE` | | `-non-interactive` | Prevents CLI from prompting for input | | | `-output-curl-string` | Print equivalent cURL command instead of executing | | | `-output-policy` | Print example HCL policy required for the command instead of executing | | | `-policy-override` | Override a Sentinel policy with soft-mandatory enforcement | | | `-tls-server-name` | SNI host for TLS connections | `VAULT_TLS_SERVER_NAME` | | `-tls-skip-verify` | Skip TLS certificate verification (not recommended) | `VAULT_SKIP_VERIFY` | | `-unlock-key` | Key to unlock a namespace API lock | | | `-wrap-ttl` | Wrap response in a cubbyhole token with the requested TTL | `VAULT_WRAP_TTL` | ## Output Options | Flag | Description | Env Variable | | --------- | --------------------------------------------------------------------------------------------------- | -------------- | | `-format` | Output format: `table`, `json`, `yaml`, `pretty`, or `raw` (for `vhsm read` only). Default: `table` | `VAULT_FORMAT` |