# vhsm delete

The `vhsm delete` command removes secrets and configuration from vHSM at the specified path. The behavior of this command is delegated to the backend corresponding to the given path.

### Usage

```
vhsm delete [options] PATH
```

### Examples

####  Example 1: Remove a Secret from the Static Secrets Engine

```
vhsm delete secret/my-secret
```

This command deletes the secret stored at `secret/my-secret`.

#### Example 2: Uninstall an Encryption Key in the Transit Backend

```
vhsm delete transit/keys/my-key
```

{% hint style="info" %}
**Note:** Some encryption keys may require additional configuration to allow deletion.
{% endhint %}

#### Example 3: Delete an IAM Role

```
vhsm delete aws/roles/ops
```

This removes the IAM role named `ops` from the AWS backend.

### Output

The `vhsm delete` command does not return any output upon successful execution. If an error occurs, vHSM will return an appropriate error message.

### Options

#### **HTTP Options**

| Option                | Type          | Description                                                                                                          |
| --------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------- |
| `-address`            | `<string>`    | Address of the vHSM server (default: `https://127.0.0.1:8200`). Can be set via `VAULT_ADDR`.                         |
| `-agent-address`      | `<string>`    | Address of the Agent. Can be set via `VAULT_AGENT_ADDR`.                                                             |
| `-ca-cert`            | `<string>`    | Path to a PEM-encoded CA certificate for verifying the vHSM server's SSL certificate. Can be set via `VAULT_CACERT`. |
| `-ca-path`            | `<string>`    | Path to a directory of PEM-encoded CA certificates. Can be set via `VAULT_CAPATH`.                                   |
| `-client-cert`        | `<string>`    | Path to a client certificate for TLS authentication. Requires `-client-key`. Can be set via `VAULT_CLIENT_CERT`.     |
| `-client-key`         | `<string>`    | Path to a private key matching the client certificate. Can be set via `VAULT_CLIENT_KEY`.                            |
| `-disable-redirects`  | `<boolean>`   | Disable client behavior that follows a single redirect (default: `false`). Can be set via `VAULT_DISABLE_REDIRECTS`. |
| `-header`             | `<key=value>` | Key-value pair added as an HTTP header. Cannot start with `X-Vault-`.                                                |
| `-mfa`                | `<string>`    | Supply MFA credentials as part of the `X-Vault-MFA` header. Can be set via `VAULT_MFA`.                              |
| `-namespace`          | `<string>`    | Specify the namespace for the command. Can be set via `VAULT_NAMESPACE`.                                             |
| `-non-interactive`    | `<boolean>`   | Prevents user input prompts (default: `false`).                                                                      |
| `-output-curl-string` | `<boolean>`   | Prints an equivalent `cURL` command instead of executing the request (default: `false`).                             |
| `-output-policy`      | `<boolean>`   | Prints an example HCL policy instead of executing the request (default: `false`).                                    |
| `-policy-override`    | `<boolean>`   | Overrides a Sentinel policy with soft-mandatory enforcement (default: `false`).                                      |
| `-tls-server-name`    | `<string>`    | Name to use as the SNI host when connecting via TLS. Can be set via `VAULT_TLS_SERVER_NAME`.                         |
| `-tls-skip-verify`    | `<boolean>`   | Disable TLS certificate verification (default: `false`). **Not recommended.** Can be set via `VAULT_SKIP_VERIFY`.    |
| `-unlock-key`         | `<string>`    | Key to unlock a namespace API lock.                                                                                  |
| `-wrap-ttl`           | `<duration>`  | Wraps the response in a cubbyhole token with a specified TTL (e.g., `30s`, `5m`). Can be set via `VAULT_WRAP_TTL`.   |

#### **Output Options**

| Option    | Type       | Description                                                                                                                                |
| --------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
|           |            | Description                                                                                                                                |
| `-field`  | `<string>` | Prints only the specified field. Useful for piping output.                                                                                 |
| `-format` | `<string>` | Defines output format: `table`, `json`, `yaml`, `pretty`. `raw` is allowed for `vhsm read` operations only. Can be set via `VAULT_FORMAT`. |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/cli/secret-management/vhsm-delete.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.