Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page

Was this helpful?

  1. Tutorials

Registering a buckypaper plugin

Learn how to register a buckypaper plugin in a vHSM server.

The Buckypaper plugin is a secrets engine that provides a secure and efficient way to manage cryptographic keys within vHSM .

Prerequisites

  • Install Docker

  • Set the environment variable for ENCLAIVE_LICENCE

  • Download the vHSM docker image

  • Download the vHSM CLl

To register a buckypaper plugin in a Docker container running vHSM:

  1. Get the SHA of the plugin using: docker run --rm -it --entrypoint sha256sum harbor.enclaive.cloud/vhsm/vhsm:latest /vault/plugins/vault-plugin-secrets-buckypaper

  2. Create a config.json file that provides the path for the plugins directory.

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = true
}

api_addr = "http://0.0.0.0:8200"
plugin_directory = "/vault/plugins"
disable_mlock = true

storage "file" {
  path = "/vault/data"
}
  1. Start the vHSM server with the configuration parameters that you defined in the config.json file.

docker run --rm -it \
  -v ./config.json:/config.json \
  -p 8200:8200 \
  -e ENCLAIVE_LICENCE=$ENCLAIVE_LICENCE \
  harbor.enclaive.cloud/vhsm/vhsm:latest \
  server -config=/config.json

The output is similar to:

No usage registration configured for this binary.
==> vHSM server configuration:

Administrative Namespace: 
             Api Address: http://0.0.0.0:8200
                     Cgo: enabled
         Cluster Address: https://0.0.0.0:8201
   Environment Variables: ENCLAIVE_LICENCE, GODEBUG, HOME, HOSTNAME, NAME, PATH, PWD, SHLVL, TERM
              Go Version: go1.23.7
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: 
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: file
                 Version: Vhsm v1.4.2-1 heads/feature/update-0-g251e70f 2025-04-01T12:51:26+00:00, built 2025-04-01T14:49:46Z
             Version Sha: 251e70fd90b75d4c66b89584a1cc8a61db79182e+CHANGES

==> vHSM server started! Log data will stream in below:

2025-04-02T06:08:14.213Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2025-04-02T06:08:14.214Z [INFO]  core: Initializing version history cache for core
Attempting auto-setup with enclaive tooling
Processed all sealed shards
2025-04-02T06:09:54.051Z [INFO]  core: security barrier not initialized
2025-04-02T06:09:54.051Z [INFO]  core: seal configuration missing, not initialized
2025-04-02T06:10:26.061Z [INFO]  core: security barrier not initialized
  1. In a different terminal, set the environment variable as export VAULT_ADDR='http://127.0.0.1:8200' and login using the root token for the vHSM server.

  2. In the following command ensure that you replace the SHA digest with the one that you made note after downloading the plugin binary to register the plugin.

vhsm plugin register -sha256=<sha-digest> secret vault-plugin-secrets-buckypaper

The output is:

Success! Registered plugin: vault-plugin-secrets-buckypaper
  1. Verify that the plugin is listed in the vHSM server using the command: vhsm plugin list .

  2. Enable the buckypaper secret engine using the command: vhsm secrets enable buckypaper

  3. Verify that it is listed under secrets, using the command: vhsm secrets list

The output is:

Path           Type                               Accessor                                    Description
----           ----                               --------                                    -----------
buckypaper/    vault-plugin-secrets-buckypaper    vault-plugin-secrets-buckypaper_7e973220    n/a
cubbyhole/     cubbyhole                          cubbyhole_5769dce0                          per-token private secret storage
identity/      identity                           identity_6eafac39                           identity store
sys/           system                             system_1b5a77e2                             system endpoints used for control, policy and debugging
PreviousProvisioning MariaDB Password on Azure DCXas_v5 VMNextMonitoring vHSM with Grafana

Last updated 1 month ago

Was this helpful?

Note: Verify the server and if necessary.

The Buckypaper plugin is a secrets engine that provides a secure and efficient way to manage cryptographic keys within vHSM . By default, this plugin is enabled in , allowing you to generate, store, and manage cryptographic keys seamlessly. For more information about using this secrets engine to pass root admin password, see .

status of the vhsm
initialize it or unseal
vault.enclaive.cloud
Provisioning MariaDB Password on Azure DCXas_v5 VM