# vhsm unwrap

The `unwrap` command is used to unwrap a wrapped secret from vHSM using a wrapping token. This operation is functionally equivalent to a `vhsm read` on the original secret. It is commonly used for secure transmission of sensitive information, such as credentials or temporary tokens.

If no token is provided, the unwrap operation will attempt to unwrap the secret associated with the currently authenticated token.

**Usage**

```bash
vhsm unwrap [options] [TOKEN]
```

* `TOKEN`: (Optional) The wrapping token to unwrap. If omitted, the current authentication token is used.

**Examples**

*  Unwrap a wrapped secret using a specific token:

```bash
vhsm unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
```

* Unwrap the secret associated with the currently authenticated token:

```bash
vhsm login 848f9ccf-7176-098c-5e2b-75a0689d41cd
vhsm unwrap
```

**HTTP Options**

| Option                      | Description                                                                                                                                    |
| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| `-address=<string>`         | Address of the vHSM server. Default: `https://127.0.0.1:8200`. Can also be set via `VAULT_ADDR`.                                               |
| `-agent-address=<string>`   | Address of the Agent. Also configurable via `VAULT_AGENT_ADDR`.                                                                                |
| `-ca-cert=<string>`         | Path to a PEM-encoded CA certificate file to verify the vHSM server's certificate. Overrides `-ca-path`. Also configurable via `VAULT_CACERT`. |
| `-ca-path=<string>`         | Path to a directory of PEM-encoded CA certificates. Also configurable via `VAULT_CAPATH`.                                                      |
| `-client-cert=<string>`     | Path to a client certificate for TLS authentication. Requires `-client-key`. Also settable via `VAULT_CLIENT_CERT`.                            |
| `-client-key=<string>`      | Path to the private key matching the `-client-cert`. Also settable via `VAULT_CLIENT_KEY`.                                                     |
| `-disable-redirects`        | Prevents following HTTP redirects. Default is `false`. Also configurable via `VAULT_DISABLE_REDIRECTS`.                                        |
| `-header=<key=value>`       | Additional HTTP headers (cannot start with `X-Vault-`). Can be specified multiple times.                                                       |
| `-mfa=<string>`             | Multi-Factor Authentication credentials. Also settable via `VAULT_MFA`.                                                                        |
| `-namespace=<string>`       | Namespace to use. Shortcut: `-ns`. Also settable via `VAULT_NAMESPACE`.                                                                        |
| `-non-interactive`          | Disables interactive prompts. Useful for automation. Default is `false`.                                                                       |
| `-output-curl-string`       | Prints an equivalent `curl` command instead of executing.                                                                                      |
| `-output-policy`            | Prints an example HCL policy required for this command.                                                                                        |
| `-policy-override`          | Overrides soft-mandatory Sentinel policies.                                                                                                    |
| `-tls-server-name=<string>` | Sets the SNI host for TLS. Also settable via `VAULT_TLS_SERVER_NAME`.                                                                          |
| `-tls-skip-verify`          | Skips TLS certificate verification. **Not recommended.** Also settable via `VAULT_SKIP_VERIFY`.                                                |
| `-unlock-key=<string>`      | Key used to unlock a namespace API lock.                                                                                                       |
| `-wrap-ttl=<duration>`      | Wraps the response in a cubbyhole token with a TTL (e.g., `30s`, `5m`). Also settable via `VAULT_WRAP_TTL`.                                    |

**Output Options**

| Option             | Description                                                                                                                               |
| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `-field=<string>`  | Output only a specific field. No trailing newline. Useful for piping output.                                                              |
| `-format=<string>` | Output format: `table`, `json`, `yaml`, `pretty`. Default is `table`. Settable via `VAULT_FORMAT`. `raw` is allowed only for `vhsm read`. |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/cli/secret-management/vhsm-unwrap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.