vhsm operator

The vhsm operator command groups subcommands for vHSM operators to manage and diagnose a vHSM server. These commands are primarily used for initialization, sealing/unsealing, key rotation, leadership management, and diagnostics.

Most end-users will not need to interact with these commands.

Usage

vhsm operator <subcommand> [options] [args]

Subcommands

Examples

Example Output for init

vhsm operator init
Unseal Key 1: sP/4C/fwIDjJmHEC2bi/1Pa43uKhsUQMmiB31GRzFc0R
Unseal Key 2: kHkw2xTBelbDFIMEgEC8NVX7NDSAZ+rdgBJ/HuJwxOX+
Unseal Key 3: +1+1ZnkQDfJFHDZPRq0wjFxEuEEHxDDOQxa8JJ/AYWcb
Unseal Key 4: cewseNJTLovmFrgpyY+9Hi5OgJlJgGGCg7PZyiVdPwN0
Unseal Key 5: wyd7rMGWX5fi0k36X4e+C4myt5CoTmJsHJ0rdYT7BQcF
Initial Root Token: 6662bb4a-afd0-4b6b-faad-e237fb564568

Example: Unseal vHSM server

vhsm operator unseal [options] [KEY]

The unseal command is used to provide a portion of the root key—known as an unseal key—to unseal a vHSM server. By default, vHSM starts in a sealed state and cannot perform any operations until it has been unsealed.

Providing the Unseal Key

You can supply the unseal key directly as a command-line argument:

$ vhsm operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=

⚠️ Note: Supplying the key as a command-line argument is not recommended, as it may be stored in your shell history.

Instead, run the command without arguments. You are securely prompted to enter the key and input is hidden:

$ vhsm operator unseal
Key (will be hidden): ********

Options

This command accepts standard CLI options. Use --help to view available flags:

$ vhsm operator unseal --help