vhsm secrets tune

The vhsm secrets tune command modifies the configuration settings for a secrets engine at a specified path. This does not modify the secrets engine type but updates its configuration parameters.

Before tuning, check the current configuration using: vhsm read sys/mounts/<path>/tune

Usage

vhsm secrets tune [options] <path>

Examples

Example1: View current configuration for "pki/"

vhsm read sys/mounts/pki/tune

Output

Key                             Value
---                             -----
default_lease_ttl               12h
description                     Example PKI mount
force_no_cache                  false
max_lease_ttl                   24h

Example 2: Tune default lease TTL and exclude fields from HMAC in audit logs

vhsm secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/

Output

Success! Tuned the secrets engine at: pki/

Example 3: Verify configuration after tuning

vhsm read sys/mounts/pki/tune

Output

Key                             Value
---                             -----
audit_non_hmac_request_keys     [common_name]
audit_non_hmac_response_keys    [serial_number]
default_lease_ttl               18h
description                     Example PKI mount
force_no_cache                  false
max_lease_ttl                   24h

Example 4: Specify multiple non-HMAC audit request keys

vhsm secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/

Available Options

Option

Description

-allowed-response-headers=<string>

Response header values the secrets engine can set. Multiple keys can be provided by using this option multiple times.

-audit-non-hmac-request-keys=<string>

Request data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.

-audit-non-hmac-response-keys=<string>

Response data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.

-default-lease-ttl=<duration>

Default lease TTL for this secrets engine. Uses duration format (e.g., 30m, 12h).

-description=<string>

Updates the human-readable description of the mount.

-listing-visibility=<string>

Controls mount visibility in the UI. Options: "unauth", "hidden". Empty value keeps the current setting.

-max-lease-ttl=<duration>

Maximum lease TTL for the secrets engine. Can override global vHSM settings.

-passthrough-request-headers=<string>

Headers forwarded to the secrets engine. Multiple keys can be specified separately.

-allowed-managed-keys=<string>

Specifies which managed key(s) the mount can access. Use a comma-separated list or multiple instances of the flag.

-plugin-version=<string>

Sets the plugin version for the mount. The mount must be reloaded for changes to take effect.

Previousvhsm secrets move Nextvhsm unwrap

Last updated 11 months ago

Was this helpful?

hashtagUsage

hashtagExamples

hashtagExample1: View current configuration for "pki/"

hashtagExample 2: Tune default lease TTL and exclude fields from HMAC in audit logs

hashtagExample 3: Verify configuration after tuning

hashtagExample 4: Specify multiple non-HMAC audit request keys

hashtagAvailable Options

Usage

Examples

Example1: View current configuration for "pki/"

Example 2: Tune default lease TTL and exclude fields from HMAC in audit logs

Example 3: Verify configuration after tuning

Example 4: Specify multiple non-HMAC audit request keys

Available Options