Registering a buckypaper plugin

Learn how to register a buckypaper plugin in a vHSM server.

The Buckypaper plugin is a secrets engine that provides a secure and efficient way to manage cryptographic keys within vHSM .

Prerequisites

Install Docker
Set the environment variable for ENCLAIVE_LICENCE
Download the vHSM docker image
Download the vHSM CLl

To register a buckypaper plugin in a Docker container running vHSM:

Get the SHA of the plugin using: docker run --rm -it --entrypoint sha256sum harbor.enclaive.cloud/vhsm/vhsm:latest /vault/plugins/vault-plugin-secrets-buckypaper
Create a config.json file that provides the path for the plugins directory.

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = true
}

api_addr = "http://0.0.0.0:8200"
plugin_directory = "/vault/plugins"
disable_mlock = true

storage "file" {
  path = "/vault/data"
}

Start the vHSM server with the configuration parameters that you defined in the config.json file.

docker run --rm -it \
  -v ./config.json:/config.json \
  -p 8200:8200 \
  -e ENCLAIVE_LICENCE=$ENCLAIVE_LICENCE \
  harbor.enclaive.cloud/vhsm/vhsm:latest \
  server -config=/config.json

The output is similar to:

No usage registration configured for this binary.
==> vHSM server configuration:

Administrative Namespace: 
             Api Address: http://0.0.0.0:8200
                     Cgo: enabled
         Cluster Address: https://0.0.0.0:8201
   Environment Variables: ENCLAIVE_LICENCE, GODEBUG, HOME, HOSTNAME, NAME, PATH, PWD, SHLVL, TERM
              Go Version: go1.23.7
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: 
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: file
                 Version: Vhsm v1.4.2-1 heads/feature/update-0-g251e70f 2025-04-01T12:51:26+00:00, built 2025-04-01T14:49:46Z
             Version Sha: 251e70fd90b75d4c66b89584a1cc8a61db79182e+CHANGES

==> vHSM server started! Log data will stream in below:

2025-04-02T06:08:14.213Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2025-04-02T06:08:14.214Z [INFO]  core: Initializing version history cache for core
Attempting auto-setup with enclaive tooling
Processed all sealed shards
2025-04-02T06:09:54.051Z [INFO]  core: security barrier not initialized
2025-04-02T06:09:54.051Z [INFO]  core: seal configuration missing, not initialized
2025-04-02T06:10:26.061Z [INFO]  core: security barrier not initialized

In a different terminal, set the environment variable as export VAULT_ADDR='http://127.0.0.1:8200' and login using the root token for the vHSM server.
In the following command ensure that you replace the SHA digest with the one that you made note after downloading the plugin binary to register the plugin.

vhsm plugin register -sha256=<sha-digest> secret vault-plugin-secrets-buckypaper

The output is:

Success! Registered plugin: vault-plugin-secrets-buckypaper

Verify that the plugin is listed in the vHSM server using the command: vhsm plugin list .
Enable the buckypaper secret engine using the command: vhsm secrets enable buckypaper
Verify that it is listed under secrets, using the command: vhsm secrets list

The output is:

Path           Type                               Accessor                                    Description
----           ----                               --------                                    -----------
buckypaper/    vault-plugin-secrets-buckypaper    vault-plugin-secrets-buckypaper_7e973220    n/a
cubbyhole/     cubbyhole                          cubbyhole_5769dce0                          per-token private secret storage
identity/      identity                           identity_6eafac39                           identity store
sys/           system                             system_1b5a77e2                             system endpoints used for control, policy and debugging

PreviousProvisioning MariaDB Password on Azure DCXas_v5 VM NextMonitoring vHSM with Grafana

Last updated 1 month ago

Was this helpful?

listener "tcp" { address = "0.0.0.0:8200" tls_disable = true } api_addr = "http://0.0.0.0:8200" plugin_directory = "/vault/plugins" disable_mlock = true storage "file" { path = "/vault/data" }

No usage registration configured for this binary. ==> vHSM server configuration: Administrative Namespace: Api Address: http://0.0.0.0:8200 Cgo: enabled Cluster Address: https://0.0.0.0:8201 Environment Variables: ENCLAIVE_LICENCE, GODEBUG, HOME, HOSTNAME, NAME, PATH, PWD, SHLVL, TERM Go Version: go1.23.7 Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: Mlock: supported: true, enabled: false Recovery Mode: false Storage: file Version: Vhsm v1.4.2-1 heads/feature/update-0-g251e70f 2025-04-01T12:51:26+00:00, built 2025-04-01T14:49:46Z Version Sha: 251e70fd90b75d4c66b89584a1cc8a61db79182e+CHANGES ==> vHSM server started! Log data will stream in below: 2025-04-02T06:08:14.213Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy="" 2025-04-02T06:08:14.214Z [INFO] core: Initializing version history cache for core Attempting auto-setup with enclaive tooling Processed all sealed shards 2025-04-02T06:09:54.051Z [INFO] core: security barrier not initialized 2025-04-02T06:09:54.051Z [INFO] core: seal configuration missing, not initialized 2025-04-02T06:10:26.061Z [INFO] core: security barrier not initialized

Path Type Accessor Description ---- ---- -------- ----------- buckypaper/ vault-plugin-secrets-buckypaper vault-plugin-secrets-buckypaper_7e973220 n/a cubbyhole/ cubbyhole cubbyhole_5769dce0 per-token private secret storage identity/ identity identity_6eafac39 identity store sys/ system system_1b5a77e2 system endpoints used for control, policy and debugging