> For the complete documentation index, see [llms.txt](https://docs.enclaive.cloud/virtual-hsm/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.enclaive.cloud/virtual-hsm/tutorials/registering-a-buckypaper-plugin.md). # Registering a buckypaper plugin The Buckypaper plugin is a secrets engine that provides a secure and efficient way to manage cryptographic keys within vHSM . #### Prerequisites * Install Docker * Set the environment variable for `ENCLAIVE_LICENCE` * Download the vHSM docker image * Download the vHSM CLl To register a buckypaper plugin in a Docker container running vHSM: 1. Get the SHA of the plugin using: `docker run --rm -it --entrypoint sha256sum harbor.enclaive.cloud/vhsm/vhsm:latest /vault/plugins/vault-plugin-secrets-buckypaper` 2. Create a `config.json` file that provides the path for the plugins directory. ``` listener "tcp" { address = "0.0.0.0:8200" tls_disable = true } api_addr = "http://0.0.0.0:8200" plugin_directory = "/vault/plugins" disable_mlock = true storage "file" { path = "/vault/data" } ``` 2. Start the vHSM server with the configuration parameters that you defined in the `config.json` file. ``` docker run --rm -it \ -v ./config.json:/config.json \ -p 8200:8200 \ -e ENCLAIVE_LICENCE=$ENCLAIVE_LICENCE \ harbor.enclaive.cloud/vhsm/vhsm:latest \ server -config=/config.json ``` The output is similar to: ``` No usage registration configured for this binary. ==> vHSM server configuration: Administrative Namespace: Api Address: http://0.0.0.0:8200 Cgo: enabled Cluster Address: https://0.0.0.0:8201 Environment Variables: ENCLAIVE_LICENCE, GODEBUG, HOME, HOSTNAME, NAME, PATH, PWD, SHLVL, TERM Go Version: go1.23.7 Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled") Log Level: Mlock: supported: true, enabled: false Recovery Mode: false Storage: file Version: Vhsm v1.4.2-1 heads/feature/update-0-g251e70f 2025-04-01T12:51:26+00:00, built 2025-04-01T14:49:46Z Version Sha: 251e70fd90b75d4c66b89584a1cc8a61db79182e+CHANGES ==> vHSM server started! Log data will stream in below: 2025-04-02T06:08:14.213Z [INFO] proxy environment: http_proxy="" https_proxy="" no_proxy="" 2025-04-02T06:08:14.214Z [INFO] core: Initializing version history cache for core Attempting auto-setup with enclaive tooling Processed all sealed shards 2025-04-02T06:09:54.051Z [INFO] core: security barrier not initialized 2025-04-02T06:09:54.051Z [INFO] core: seal configuration missing, not initialized 2025-04-02T06:10:26.061Z [INFO] core: security barrier not initialized ``` {% hint style="info" %} **Note**: Verify the [status of the vhsm ](/virtual-hsm/cli/server-and-infrastructure-management/vhsm-status.md)server and [initialize it or unseal](/virtual-hsm/cli/configuration-and-management/vhsm-operator.md) if necessary. {% endhint %} 3. In a different terminal, set the environment variable as `export VAULT_ADDR='http://127.0.0.1:8200'` and login using the root token for the vHSM server. 4. In the following command ensure that you replace the SHA digest with the one that you made note after downloading the plugin binary to register the plugin. ``` vhsm plugin register -sha256= secret vault-plugin-secrets-buckypaper ``` The output is: ``` Success! Registered plugin: vault-plugin-secrets-buckypaper ``` 6. Verify that the plugin is listed in the vHSM server using the command: `vhsm plugin list` . 7. Enable the buckypaper secret engine using the command: `vhsm secrets enable buckypaper` 8. Verify that it is listed under secrets, using the command: `vhsm secrets list` The output is: ``` Path Type Accessor Description ---- ---- -------- ----------- buckypaper/ vault-plugin-secrets-buckypaper vault-plugin-secrets-buckypaper_7e973220 n/a cubbyhole/ cubbyhole cubbyhole_5769dce0 per-token private secret storage identity/ identity identity_6eafac39 identity store sys/ system system_1b5a77e2 system endpoints used for control, policy and debugging ``` The Buckypaper plugin is a secrets engine that provides a secure and efficient way to manage cryptographic keys within vHSM . By default, this plugin is enabled in [vault.enclaive.cloud](https://vault.enclaive.cloud/ui/vault/secrets), allowing you to generate, store, and manage cryptographic keys seamlessly. For more information about using this secrets engine to pass root admin password, see [Provisioning MariaDB Password on Azure DCXas\_v5 VM](/virtual-hsm/tutorials/provisioning-mariadb-password-on-azure-dcxas_v5-vm.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.enclaive.cloud/virtual-hsm/tutorials/registering-a-buckypaper-plugin.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.