vHSM Server Configuration

Explore example configurations for setting up vHSM storage and configuring the vHSM CLI for attestation.

Last updated 1 month ago

Was this helpful?

vHSM Server Configuration

Explore example configurations for setting up vHSM storage and configuring the vHSM CLI for attestation.

To configure the vHSM server, you must first set up Vault. For details on the various parameters you can configure for Vault, refer to the section.

Note: After you create the configuration file, -config flag with the vhsm server command and specify the path to the configuration JSON file.

Example 1: To configure vHSM for file storage and Raft storage cluster

To configure the vHSM, Vault must be set up first. Outside of development mode, Vault servers require a persistent storage method for configuration. This configuration is stored in a JSON file.

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "file" {
  path = "/path/to/file/data"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path = "/path/to/raft/data"
  node_id = "raft_node_id"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

Example 2 : To a configure vHSM CLI for attesting

To set up the vHSM CLI with an attestation provider, configure it to verify a fresh report for the specified workload, ensuring the response includes an authentication token for the vHSM instance.

#cloud-config
runcmd:
  - |
    (
    set -eu
    
    export VAULT_ADDR=https://vhsm-staging.enclaive.cloud
    
    WORKLOAD=13e1c839-7981-4c84-8c0c-28c0c236b6d5
    PROVIDER=azure-sev-snp-vtpm
    
    curl -s -o vhsm "$VAULT_ADDR/static/vhsm" && chmod +x vhsm
    
    ./vhsm nitride attestation report -provider=$PROVIDER $WORKLOAD
    ) >enclaive.log 2>&1

PreviousInstall NextParameters

Last updated 1 month ago

Was this helpful?

To configure the vHSM server, you must first set up Vault. For details on the various parameters you can configure for Vault, refer to the section.

Note: After you create the configuration file, -config flag with the vhsm server command and specify the path to the configuration JSON file.

Example 1: To configure vHSM for file storage and Raft storage cluster

To configure the vHSM, Vault must be set up first. Outside of development mode, Vault servers require a persistent storage method for configuration. This configuration is stored in a JSON file.

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "file" {
  path = "/path/to/file/data"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "raft" {
  path = "/path/to/raft/data"
  node_id = "raft_node_id"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

Example 2 : To a configure vHSM CLI for attesting

To set up the vHSM CLI with an attestation provider, configure it to verify a fresh report for the specified workload, ensuring the response includes an authentication token for the vHSM instance.

#cloud-config
runcmd:
  - |
    (
    set -eu
    
    export VAULT_ADDR=https://vhsm-staging.enclaive.cloud
    
    WORKLOAD=13e1c839-7981-4c84-8c0c-28c0c236b6d5
    PROVIDER=azure-sev-snp-vtpm
    
    curl -s -o vhsm "$VAULT_ADDR/static/vhsm" && chmod +x vhsm
    
    ./vhsm nitride attestation report -provider=$PROVIDER $WORKLOAD
    ) >enclaive.log 2>&1