# vhsm secrets tune The `vhsm secrets tune` command modifies the configuration settings for a secrets engine at a specified path. This does not modify the secrets engine type but updates its configuration parameters. {% hint style="info" %} Before tuning, check the current configuration using: `vhsm read sys/mounts//tune` {% endhint %} ### **Usage** ```sh vhsm secrets tune [options] ``` ### **Examples** #### **Example1: View current configuration for "pki/"** ```sh vhsm read sys/mounts/pki/tune ``` **Output** ``` Key Value --- ----- default_lease_ttl 12h description Example PKI mount force_no_cache false max_lease_ttl 24h ``` #### **Example 2: Tune default lease TTL and exclude fields from HMAC in audit logs** ```sh vhsm secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/ ``` **Output** ``` Success! Tuned the secrets engine at: pki/ ``` #### **Example 3: Verify configuration after tuning** ```sh vhsm read sys/mounts/pki/tune ``` **Output** ``` Key Value --- ----- audit_non_hmac_request_keys [common_name] audit_non_hmac_response_keys [serial_number] default_lease_ttl 18h description Example PKI mount force_no_cache false max_lease_ttl 24h ``` #### **Example 4: Specify multiple non-HMAC audit request keys** ```sh vhsm secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/ ``` *** ### **Available Options** | Option | Description | | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | `-allowed-response-headers=` | Response header values the secrets engine can set. Multiple keys can be provided by using this option multiple times. | | `-audit-non-hmac-request-keys=` | Request data keys **excluded** from HMAC in audit logs. Use multiple times for multiple keys. | | `-audit-non-hmac-response-keys=` | Response data keys **excluded** from HMAC in audit logs. Use multiple times for multiple keys. | | `-default-lease-ttl=` | Default lease TTL for this secrets engine. Uses duration format (e.g., `30m`, `12h`). | | `-description=` | Updates the human-readable description of the mount. | | `-listing-visibility=` | Controls mount visibility in the UI. Options: `"unauth"`, `"hidden"`. Empty value keeps the current setting. | | `-max-lease-ttl=` | Maximum lease TTL for the secrets engine. Can **override** global vHSM settings. | | `-passthrough-request-headers=` | Headers forwarded to the secrets engine. Multiple keys can be specified separately. | | `-allowed-managed-keys=` | Specifies which managed key(s) the mount can access. Use a **comma-separated** list or **multiple instances** of the flag. | | `-plugin-version=` | Sets the plugin version for the mount. The mount must be reloaded for changes to take effect. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/secret-management/vhsm-secrets/vhsm-secrets-tune.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.