Home

vHSM Server Configuration

Explore example configurations for setting up vHSM storage and configuring the vHSM CLI for attestation.

To configure the vHSM server, you must first set up Vault. For details on the various parameters you can configure for Vault, refer to the Parameters section.

Note: After you create the configuration file, -config flag with the vhsm server command and specify the path to the configuration JSON file.

Example 1: To configure vHSM for file storage and Raft storage cluster

To configure the vHSM, Vault must be set up first. Outside of development mode, Vault servers require a persistent storage method for configuration. This configuration is stored in a JSON file.

ui            = true
cluster_addr  = "https://127.0.0.1:8201"
api_addr      = "https://127.0.0.1:8200"
disable_mlock = true

storage "file" {
  path = "/path/to/file/data"
}

listener "tcp" {
  address       = "127.0.0.1:8200"
  tls_cert_file = "/path/to/full-chain.pem"
  tls_key_file  = "/path/to/private-key.pem"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

plugin_directory = "/vault/plugins"

Example 2 : To a configure vHSM CLI for attesting

To set up the vHSM CLI with an attestation provider, configure it to verify a fresh report for the specified workload, ensuring the response includes an authentication token for the vHSM instance.

#cloud-config
runcmd:
  - |
    (
    set -eu
    
    export VAULT_ADDR=https://vhsm-staging.enclaive.cloud
    
    WORKLOAD=13e1c839-7981-4c84-8c0c-28c0c236b6d5
    PROVIDER=azure-sev-snp-vtpm
    
    curl -s -o vhsm "$VAULT_ADDR/static/vhsm" && chmod +x vhsm
    
    ./vhsm nitride attestation report -provider=$PROVIDER $WORKLOAD
    ) >enclaive.log 2>&1

PreviousInstallNextParameters

Last updated

Was this helpful?