> For the complete documentation index, see [llms.txt](https://docs.enclaive.cloud/virtual-hsm/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.enclaive.cloud/virtual-hsm/cli/server-and-infrastructure-management/vhsm-server.md). # vhsm server The `vhsm server` command starts a vHSM server that responds to API requests. By default, the server starts in a sealed state, requiring initialization and unsealing before handling requests. * The vHSM cluster must be initialized using `vhsm operator init`. * Each vHSM server must be unsealed using `vhsm operator unseal` or the API before it can process requests. #### Related Commands * `vhsm operator init` – Initialize a new vHSM server. * `vhsm operator unseal` – Unseal a vHSM server. * [vHSM Configuration](/virtual-hsm/documentation/setup/configuration/server.md) – Detailed configuration options for a vHSM server. ### Usage ```sh vhsm server [options] ``` ### Examples Start a vHSM server with a configuration file ```sh vhsm server -config=/etc/vault/config.json ``` Run in "dev" mode with a custom initial root token ```sh vhsm server -dev -dev-root-token-id="root" ``` *** ### Options #### General server options | Flag | Description | Default | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | | `-config` (string) | Path to a configuration file or directory. Can be specified multiple times. Supports `.hcl` and `.json` files. | `""` | | `-log-level` (string) | Log verbosity level: `trace`, `debug`, `info`, `warn`, `error`. Can also be set via `VAULT_LOG_LEVEL`. | `"info"` | | `-log-format` (string) | Log format: `standard` or `json`. Can also be set via `VAULT_LOG_FORMAT`. | `"standard"` | | `-log-file` (string) | Prefix for the log file name. Timestamp is appended automatically. | `""` | | `-log-rotate-bytes` (int) | Maximum log file size in bytes before rotation. No limit if unspecified. | `""` | | `-log-rotate-duration` (string) | Maximum log file duration before rotation (e.g., `30s`, `24h`). Defaults to `24h`. | `"24h"` | | `-log-rotate-max-files` (int) | Maximum number of archived log files to retain. Set to `-1` to discard old logs. | `0` (keeps all logs) | | `-experiment` (string array) | Enables experimental features (not recommended for production). Can be set multiple times. Also configurable via `VAULT_EXPERIMENTS`. | `[]` | #### Environment variable | Variable | Description | Default | | ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` (bool) | Allows starting vHSM with deprecated engines in the "Pending Removal" state. This is a temporary setting before they are fully removed. | `false` | ### Development mode options | Flag | Description | Default | | ------------------------------ | ---------------------------------------------------------------------------------------------------- | ------------------ | | `-dev` (bool) | Enable development mode (in-memory, unsealed vHSM). Not for production use. | `false` | | `-dev-tls` (bool) | Enable TLS in dev mode (auto-generates CA, cert, and key). **Not for production use.** | `false` | | `-dev-tls-cert-dir` (string) | Directory for generated TLS files (if `-dev-tls` is enabled). Defaults to a temp directory if unset. | `""` | | `-dev-listen-address` (string) | Address to bind in dev mode. Can also be set via `VAULT_DEV_LISTEN_ADDRESS`. | `"127.0.0.1:8200"` | | `-dev-root-token-id` (string) | Custom root token for dev mode. Can also be set via `VAULT_DEV_ROOT_TOKEN_ID`. | `""` | | `-dev-no-store-token` (bool) | Prevents storing the dev root token in the token helper. The token is only displayed in output. | `false` | | `-dev-plugin-dir` (string) | Directory from which plugins are auto-registered in dev mode. | `""` | **Note:** * The `-dev-root-token-id` should not start with the `s.` prefix. * The `-dev` flag enables in-memory mode where vHSM is automatically unsealed, making it insecure for production. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/cli/server-and-infrastructure-management/vhsm-server.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.