vhsm server

-config (string)

Path to a configuration file or directory. Can be specified multiple times. Supports .hcl and .json files.

""

-log-level (string)

Log verbosity level: trace, debug, info, warn, error. Can also be set via VAULT_LOG_LEVEL.

"info"

-log-format (string)

Log format: standard or json. Can also be set via VAULT_LOG_FORMAT.

"standard"

-log-file (string)

Prefix for the log file name. Timestamp is appended automatically.

""

-log-rotate-bytes (int)

Maximum log file size in bytes before rotation. No limit if unspecified.

""

-log-rotate-duration (string)

Maximum log file duration before rotation (e.g., 30s, 24h). Defaults to 24h.

"24h"

-log-rotate-max-files (int)

Maximum number of archived log files to retain. Set to -1 to discard old logs.

0 (keeps all logs)

-experiment (string array)

Enables experimental features (not recommended for production). Can be set multiple times. Also configurable via VAULT_EXPERIMENTS.

[]

VAULT_ALLOW_PENDING_REMOVAL_MOUNTS (bool)

Allows starting vHSM with deprecated engines in the "Pending Removal" state. This is a temporary setting before they are fully removed.

false

-dev (bool)

Enable development mode (in-memory, unsealed vHSM). Not for production use.

false

-dev-tls (bool)

Enable TLS in dev mode (auto-generates CA, cert, and key). Not for production use.

false

-dev-tls-cert-dir (string)

Directory for generated TLS files (if -dev-tls is enabled). Defaults to a temp directory if unset.

""

-dev-listen-address (string)

Address to bind in dev mode. Can also be set via VAULT_DEV_LISTEN_ADDRESS.

"127.0.0.1:8200"

-dev-root-token-id (string)

Custom root token for dev mode. Can also be set via VAULT_DEV_ROOT_TOKEN_ID.

""

-dev-no-store-token (bool)

Prevents storing the dev root token in the token helper. The token is only displayed in output.

false

-dev-plugin-dir (string)

Directory from which plugins are auto-registered in dev mode.

""