Configuration

To configure the vHSM server, you must first set up Vault. For details on the various parameters you can configure for Vault, refer to the Parameters section.

Example 1: To configure vHSM for file storage and Raft storage cluster

To configure the vHSM, Vault must be set up first. Outside of development mode, Vault servers require a persistent storage method for configuration. This configuration is stored in a JSON file.

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "file" {
  path = "/path/to/file/data"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path = "/path/to/raft/data"
  node_id = "raft_node_id"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

Example 2 : To a configure vHSM CLI for attesting

To set up the vHSM CLI with an attestation provider, configure it to verify a fresh report for the specified workload, ensuring the response includes an authentication token for the vHSM instance.

#cloud-config
runcmd:
  - |
    (
    set -eu
    
    export VAULT_ADDR=https://vhsm-staging.enclaive.cloud
    
    WORKLOAD=13e1c839-7981-4c84-8c0c-28c0c236b6d5
    PROVIDER=azure-sev-snp-vtpm
    
    curl -s -o vhsm "$VAULT_ADDR/static/vhsm" && chmod +x vhsm
    
    ./vhsm nitride attestation report -provider=$PROVIDER $WORKLOAD
    ) >enclaive.log 2>&1