CLI quickstart

vHSM (Virtual Hardware Security Module) provides cryptographic operations, key management, and secure attestation.

Learn how to create an attestation and verify token issuance from root, while ensuring workloads authenticate through their assigned namespaces.

Prerequisites

  1. Create a namespace named my-namepace , as the default policy associated with it defines access control rules for workloads within this namespace.

vhsm namespace create my-namespace
  1. Run the following command to set up authentication, identities, policies, and attestation.

vhsm nitride init -namespacing @policy.hcl

3. List the attestations that was created

vhsm nitride attestation list

Make a note of the uuid for the attestation

  1. Check if the attestation was successful for the namespace my-namespace .

Note: If the workload in not linked to any attestation provider then you can specify the provider as local-none-debug .

vhsm nitride attestation -provider=<provider-name> report <attestation-profile-uuid>

The output is similar to:

Key                       Value
---                       -----
token                     hvs.CAESICfUzQZIhKaLrARrV_pqyvaofOmfPJgh1OGw7m3o2725GisKKWh2cy5oSlI3a2c2eURrd2FaME9pd3pzckplVWcubXktbmFtZXNwYWNl
token_accessor            oXm454wsdywvqMbPhlp89JIX.my-namespace
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_measurement    none
token_meta_namespace      my-namespace
token_meta_workload       6da1095a-c1f3-463d-bcd1-078af2dc2380
created                   1743154819
description               Add text
events                    http://localhost:8000
name                      Example
namespace                 my-namespace
nonce                     n/a
policy                    test
updated                   1743154948
uuid                      6da1095a-c1f3-463d-bcd1-078af2dc2380

In the output, you can see that token_meta_namespace is set to my-namespace. This confirms that while authenticated to root, the issued token was assigned to my-namespace, indicating that the token was issued from root.

Last updated

Was this helpful?