Create Annotations

Annotations make attestation reports human-friendly.

Set vHSM environment variables

Note: If the vHSM Nitride plugin is enabled in a specific namespace, be sure to include the appropriate namespace in the X-Vault-Namespace header when making curl requests.

Example

export VAULT_ADDR=https://vhsm.enclaive.cloud/
export VAULT_TOKEN=$(cat ~/.vault-token)/
export VAULT_NAMESPACE="test/"

Create individual annotations

After verifying an attestation, you may have multiple abstract values—such as PCRs or measurements—that are not directly human-readable. Annotations let you map each of these values to a clear description.

For example:

PCR8 / Kernel Command Line / Enclaive Buckypaper v1.0.0 / 2025-06-20

Note: Firmware versions are already human-readable and typically do not need annotations.

Key naming caveat

Due to how the storage interface works for plugins, keys containing slashes (/) are interpreted as file system paths. For example, a key named milan/pcrs/0 will appear in a listing as milan/. However, you must still use the full key (milan/pcrs/0) when retrieving it.

Example : PCR 0 value

Create a file named values.json with these content:

{
  "key": "8aFCxTWG5+IiPsdOX00aSUKVax/ZrHj6/N+FEXqjRdo=",
  "value": "Kernel Command Line / Enclaive Buckypaper v1.0.0 / 2025-06-20"
}

Now use this command to create the annotation:

vhsm nitride annotation create @values.json

curl -X PUT "$VAULT_ADDR/v1/auth/ratls/annotations" \
  -H "X-Vault-Token: $VAULT_TOKEN" \
  -H "Content-Type: application/json" \
  -H "X-Vault-Namespace: $VAULT_NAMESPACE" \
  -d '{
    "key": "8aFCxTWG5+IiPsdOX00aSUKVax/ZrHj6/N+FEXqjRdo=",
    "value": "Kernel Command Line / Enclaive Buckypaper v1.0.0 / 2025-06-20"
  }'

Output

Key        Value
---        -----
created    1755497783
key        8aFCxTWG5+IiPsdOX00aSUKVax/ZrHj6/N+FEXqjRdo=
value      Kernel Command Line / Enclaive Buckypaper v1.0.0 / 2025-06-20

{
  "request_id": "3ed99957-41ae-7b84-89a0-c82fce9e7cca",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "created": 1755255339,
    "key": "8aFCxTWG5+IiPsdOX00aSUKVax/ZrHj6/N+FEXqjRdo=",
    "value": "Kernel Command Line / Enclaive Buckypaper v1.0.0 / 2025-06-20"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

List all annotations

To verify which annotations exist:

 vhsm nitride annotation list

Output

Keys
----
8aFCxTWG5+IiPsdOX00aSUKVax/

{
  "request_id": "572b3a54-0911-7d64-1b56-9789a04f185b",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "8aFCxTWG5+IiPsdOX00aSUKVax/"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Note:

Keys with slashes (/) are treated as file system paths by the storage interface for plugins. For instance, a key named a/bwill be listed as a/, but you must use the complete key (a/b) when retrieving it.

Delete an annotation (optional)

To delete an annotation:

vhsm nitride annotation delete <key>

Replace <key> with the actual annotation key for example 8aFCxTWG5+IiPsdOX00aSUKVax/ZrHj6/N+FEXqjRdo=

Output

Success! Data deleted (if it existed) at: auth/ratls/annotations/<key>

Last updated 4 months ago

Was this helpful?