Nitride
HomeDocumentationTutorials
  • Nitride
  • Documentation
    • What is Nitride?
    • Use Cases
    • Setup
      • Install Nitride
      • Configure
    • Get Started
      • Attesting a MariaDB database with Cloud-Init
    • Concepts
      • Attestation
        • AMD SEV PKI
        • Intel TDX PKI
      • enclaivelet
    • Supported Technologies
  • Tutorials
    • Create identities and policies
    • Attesting a buckypaper VM
  • Developers
    • API
      • Overview
      • Identities
      • Policies
      • Totp
      • Attestations
      • Logs
      • Config
      • Annotations
  • CLI
    • Enable Auth
    • Register Identities
    • Create Policy
    • Create Attestation
    • Enable Namespacing
  • Resources
    • Blog
    • GitHub
    • Youtube
    • CCx101
Powered by GitBook
On this page
  • Installing vHSM
  • Installing the vHSM CLI

Was this helpful?

  1. Documentation
  2. Setup

Install Nitride

Install Nitride and securely integrate it into your environment, ensuring that workloads are verifiably trusted before granting access.

Last updated 1 day ago

Was this helpful?

To interact with Nitride you need to install , and

Installing vHSM

Note: To install vHSM, you need an enterprise license. You also need access to the enclaive repository to download the precompiled binary. Contact support to obtain an enterprise license. To install vHSM as a production server you need to create a config.json file. For more information, see Configuration.

You can install vHSM using, a Docker image, Helm chart, or by compiling from source.

  1. Pull the latest image.

    docker pull harbor.enclaive.cloud/vhsm/vhsm:latest
  2. Set your enterprise license key as an environment variable.

    export ENCLAIVE_LICENCE=<licence-key>
  3. Start a Docker container named vhsm-container .

    docker run -d --name vhsm-container -p 8200:8200 -p 8201:8201      -e ENCLAIVE_LICENCE="$ENCLAIVE_LICENCE"      harbor.enclaive.cloud/vhsm/vhsm:latest
  4. Verify the container is running

    docker ps
  5. Check the logs to get the environment variables, unseal key, and root token.

    docker logs vhsm-container

    Example Output:

    WARNING! dev mode is enabled! In this mode, vHSM runs entirely in-memory
    and starts unsealed with a single unseal key. The root token is already
    authenticated to the CLI, so you can immediately begin using Vault.
    
    You may need to set the following environment variables:
    
        export VAULT_ADDR='http://0.0.0.0:8200'
    
    The unseal key and root token are displayed below in case you want to
    seal/unseal the vHSM or re-authenticate.
    
    Unseal Key: pafYkq2uEVve3FW7n7RM6JUK/MWEHzAxvrEdlrb4QD4=
    Root Token: hvs.7oXsG8t8L198HEpB865FdpFG
    
    Development mode should NOT be used in production installations!
  6. Set the environment variables as displayed in the output for accessing vHSM and save the unseal key and root token — you'll need them to access the vHSM UI or vHSM using the CLI. For more information see, .

  7. Access the vHSM UI.

    Open your browser and go to:

  1. Set your enterprise license key as an environment variable.

    export ENCLAIVE_LICENCE=<licence-key>
  2. Install vHSM in your Kubernetes cluster.

    helm install vhsm oci://harbor.enclaive.cloud/vhsm/vhsm      --version 0.28.1      --set injector.enabled=false      --set server.extraEnvironmentVars.ENCLAIVE_LICENCE="$ENCLAIVE_LICENCE"

    Example Output:

    Pulled: harbor.enclaive.cloud/enclaive-dev/vhsm:0.28.1
    Digest: sha256:d10c10f013efbff0275c33b5c292dd442017c85406aecebf8dc19a2302bf43af
    NAME: vhsm
    LAST DEPLOYED: Fri Feb 21 19:11:59 2025
    NAMESPACE: default
    STATUS: deployed
    REVISION: 1
    NOTES:
    Thank you for installing Enclaive vHSM!
    Now that you have deployed vHSM, you should look over the docs on using
    Vault with Kubernetes available here:
    
    https://docs.enclaive.cloud/virtual-hsm
    
    Your release is named vhsm. To learn more about the release, try:
    
      helm status vhsm
      helm get manifest vhsm
  3. Check if the pods are running.

    kubectl get pods

    Example Output:

    NAME     READY   STATUS    RESTARTS   AGE
    vhsm-0   0/1     Running   0          78s
  4. Check if the services are running.

    kubectl get svc

    Example Output:

    NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
    kubernetes      ClusterIP   10.96.0.1       <none>        443/TCP             13m
    vhsm            ClusterIP   10.96.219.177   <none>        8200/TCP,8201/TCP   90s
    vhsm-internal   ClusterIP   None            <none>        8200/TCP,8201/TCP   90s
  5. Port forward the service to access vHSM UI.

    kubectl port-forward svc/vhsm 8200:8200 8201:8201
  6. Access the vHSM UI.

  • To initialize vHSM:

    vhsm operator init
  • To unseal vHSM. Ensure that you replace <unseal-key> with the unseal key that you obtained after initializing the vHSM.

    vhsm operator unseal <unseal-key>

Prerequisites

Ensure the following are installed and configured:

  • Go, with the GOPATH environment variable set

  • Git, available in your system's PATH

  • Set the enterprise license key:

    export ENCLAIVE_LICENCE=<licence-key>

  1. Create directory structure in your GOPATH.

    mkdir -p $GOPATH/src/github.com/enclaive && cd $_
  2. Clone the vHSM repository.

    git clone https://github.com/enclaive/vhsm.git
  3. Navigate into the repository.

    cd vhsm
  4. Bootstrap the project.

    make bootstrap
  5. Build vHSM.

    make dev

    To build with the UI.

    make dev-ui
  6. Check if vHSM is installed.

    vhsm -h

    If vhsm is not found, add it to your PATH:

    export PATH=$GOPATH/src/github.com/enclaive/vhsm/bin:$PATH
  7. Access the vHSM UI.

Installing the vHSM CLI

To interact with vHSM, use the HashiCorp Vault CLI or Enclaive vHSM CLI.

Download the Linux CLI from the vHSM server:

wget https://vhsm.enclaive.cloud/static/vhsm

Ubuntu/Debian

  1. Update the package manager and install GPG and wget.

sudo apt update && sudo apt install gpg wget
  1. Download the keyring

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
  1. Verify the keyring

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
  1. Add the HashiCorp repository.

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
  1. Install Vault.

sudo apt update && sudo apt install vault

Fedora

  1. Install dnf config-manager to manage your repositories.

sudo dnf install -y dnf-plugins-core
  1. Use dnf config-manager to add the official HashiCorp Linux repository.

sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
  1. Install Vault.

sudo dnf -y install vault

Amazon Linux

  1. Install yum-config-manager to manage your repositories.

$ sudo yum install -y yum-utils
  1. Use yum-config-manager to add the official HashiCorp Linux repository.

$ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
  1. Install Vault.

$ sudo yum -y install vault

Open your browser and go to:

Note: The vHSM is not initialized and unsealed by default. You will be prompted to initialize and unseal it. For more information about using the CLI , see .

Open your browser and go to:

Note: To install vHSM as a production server you need to create a config.json file. For more information, see .

Please follow the instructions in the to install the HashiCorp GPG key, verify the key's fingerprint, and install Vault.

vHSM
vHSM CLI.
vHSM login
http://127.0.0.1:8200
http://127.0.0.1:8200
vhsm operator
http://127.0.0.1:8200
Configuration
Official Packaging Guide