Install Nitride

Install Nitride and securely integrate it into your environment, ensuring that workloads are verifiably trusted before granting access.

To interact with Nitride you need to install vHSM, and vHSM CLI.

Installing vHSM

Note: To install vHSM, you need an enterprise license. Contact support to obtain an enterprise license. Note: To install vHSM as a production server you need to create a config.json file. For more information, see Configuration.

You can install vHSM using, a Docker image, Helm chart, or by compiling from source.

Pull the latest image.

docker pull harbor.enclaive.cloud/vhsm/vhsm:latest

Set your enterprise license key as an environment variable.
```
export ENCLAIVE_LICENCE=<licence-key>
```

Start a Docker container named vhsm-container .

docker run -d --name vhsm-container -p 8200:8200 -p 8201:8201      -e ENCLAIVE_LICENCE="$ENCLAIVE_LICENCE"      harbor.enclaive.cloud/vhsm/vhsm:latest

Verify the container is running
```
docker ps
```

Check the logs to get the environment variables, unseal key, and root token.

docker logs vhsm-container

Example Output:

WARNING! dev mode is enabled! In this mode, vHSM runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variables:

    export VAULT_ADDR='http://0.0.0.0:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the vHSM or re-authenticate.

Unseal Key: pafYkq2uEVve3FW7n7RM6JUK/MWEHzAxvrEdlrb4QD4=
Root Token: hvs.7oXsG8t8L198HEpB865FdpFG

Development mode should NOT be used in production installations!

Set the environment variables as displayed in the output for accessing vHSM and save the unseal key and root token — you'll need them to access the vHSM UI or vHSM using the CLI. For more information see, vHSM login.
Access the vHSM UI.
Open your browser and go to: http://127.0.0.1:8200

Set your enterprise license key as an environment variable.
```
export ENCLAIVE_LICENCE=<licence-key>
```

Install vHSM in your Kubernetes cluster.

helm install vhsm oci://harbor.enclaive.cloud/vhsm/vhsm      --version 0.28.1      --set server.extraEnvironmentVars.ENCLAIVE_LICENCE="$ENCLAIVE_LICENCE"

Example Output:

Pulled: harbor.enclaive.cloud/enclaive-dev/vhsm:0.28.1
Digest: sha256:d10c10f013efbff0275c33b5c292dd442017c85406aecebf8dc19a2302bf43af
NAME: vhsm
LAST DEPLOYED: Fri Feb 21 19:11:59 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing Enclaive vHSM!
Now that you have deployed vHSM, you should look over the docs on using
Vault with Kubernetes available here:

https://docs.enclaive.cloud/virtual-hsm

Your release is named vhsm. To learn more about the release, try:

  helm status vhsm
  helm get manifest vhsm

Check if the pods are running.

kubectl get pods

Example Output:

NAME     READY   STATUS    RESTARTS   AGE
vhsm-0   1/1     Running   0          78s

Check if the services are running.

kubectl get svc

Example Output:

NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
vhsm            ClusterIP   10.96.219.177   <none>        8200/TCP,8201/TCP   90s
vhsm-internal   ClusterIP   None            <none>        8200/TCP,8201/TCP   90s

Port forward the service to access vHSM UI.

kubectl port-forward svc/vhsm 8200:8200 8201:8201

Access the vHSM UI.
Open your browser and go to: http://127.0.0.1:8200

Note: The vHSM is not initialized and unsealed by default. You will be prompted to initialize and unseal it. For more information about using the CLI , see vhsm operator.

To initialize vHSM:
```
vhsm operator init
```
To unseal vHSM. Ensure that you replace <unseal-key> with the unseal key that you obtained after initializing the vHSM.
```
vhsm operator unseal <unseal-key>
```

Prerequisites

Ensure the following are installed and configured:

Go, with the GOPATH environment variable set
Git, available in your system's PATH
Set the enterprise license key:
```
export ENCLAIVE_LICENCE=<licence-key>
```

Create directory structure in your GOPATH.

mkdir -p $GOPATH/src/github.com/enclaive && cd $_

Clone the vHSM repository.

git clone https://github.com/enclaive/vhsm.git

Navigate into the repository.
```
cd vhsm
```
Bootstrap the project.
```
make bootstrap
```
Build vHSM.
```
make dev
```
To build with the UI. The dev-ui target only adds a build tag to include the UI if it has already been built. To include the UI, run make static-dist or make static-dist-dev before building the main binary.
```
make dev-ui
```
Check if vHSM is installed.
```
vhsm -h
```
If vhsm is not found, add it to your PATH:
```
export PATH=$GOPATH/src/github.com/enclaive/vhsm/bin:$PATH
```
To start vHSM server in dev mode use: vhsm server -dev -dev-root-token-id="root"

Note: To start the server in Production mode, ensure that you have the config.json file and use the command: vhsm server -config=/etc/vault/config.json

To Access the vHSM UI. Open your browser and go to: http://127.0.0.1:8200

Next Step

Continue to install a CLI.

Last updated 2 months ago

Was this helpful?