# vhsm operator The `vhsm operator` command groups subcommands for vHSM operators to manage and diagnose a vHSM server. These commands are primarily used for initialization, sealing/unsealing, key rotation, leadership management, and diagnostics. Most end-users will not need to interact with these commands. ### **Usage** ``` vhsm operator [options] [args] ``` *** ### **Subcommands** | Subcommand | Description | | --------------- | -------------------------------------------------------- | | `diagnose` | Troubleshoot problems starting vHSM | | `generate-root` | Generates a **new root token** | | `init` | **Initializes** a vHSM server | | `key-status` | Provides information about the **active encryption key** | | `members` | Returns the list of **nodes in the cluster** | | `migrate` | Migrates **vHSM data between storage backends** | | `raft` | Interacts with vHSM's **Raft storage backend** | | `rekey` | Generates **new unseal keys** | | `rotate` | Rotates the **underlying encryption key** | | `seal` | Seals the **vHSM server**, making it inaccessible | | `step-down` | Forces vHSM to **resign active duty** | | `unseal` | **Unseals** the vHSM server | | `usage` | Lists **historical client counts** | *** ### **Examples** | Action | Command | | --------------------------------- | ------------------------- | | Initialize a new cluster | `vhsm operator init` | | Force vHSM to step down as leader | `vhsm operator step-down` | | Rotate vHSM’s encryption key | `vhsm operator rotate` | #### **Example Output for `init`** ``` vhsm operator init Unseal Key 1: sP/4C/fwIDjJmHEC2bi/1Pa43uKhsUQMmiB31GRzFc0R Unseal Key 2: kHkw2xTBelbDFIMEgEC8NVX7NDSAZ+rdgBJ/HuJwxOX+ Unseal Key 3: +1+1ZnkQDfJFHDZPRq0wjFxEuEEHxDDOQxa8JJ/AYWcb Unseal Key 4: cewseNJTLovmFrgpyY+9Hi5OgJlJgGGCg7PZyiVdPwN0 Unseal Key 5: wyd7rMGWX5fi0k36X4e+C4myt5CoTmJsHJ0rdYT7BQcF Initial Root Token: 6662bb4a-afd0-4b6b-faad-e237fb564568 ``` #### Example: Unseal vHSM server ```sh vhsm operator unseal [options] [KEY] ``` The `unseal` command is used to provide a portion of the root key—known as an *unseal key*—to unseal a vHSM server. By default, vHSM starts in a sealed state and cannot perform any operations until it has been unsealed. #### Providing the Unseal Key You can supply the unseal key directly as a command-line argument: ```sh $ vhsm operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo= ``` > ⚠️ **Note:** Supplying the key as a command-line argument is *not recommended*, as it may be stored in your shell history. Instead, run the command without arguments. You are securely prompted to enter the key and input is hidden: ```sh $ vhsm operator unseal Key (will be hidden): ******** ``` #### Options *This command accepts standard CLI options.* Use `--help` to view available flags: ```sh $ vhsm operator unseal --help ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/configuration-and-management/vhsm-operator.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.