Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Subcommands
  • Examples

Was this helpful?

  1. vHSM CLI
  2. Configuration and Management

vhsm operator

The vhsm operator command groups subcommands for vHSM operators to manage and diagnose a vHSM server. These commands are primarily used for initialization, sealing/unsealing, key rotation, leadership management, and diagnostics.

Most end-users will not need to interact with these commands.

Usage

vhsm operator <subcommand> [options] [args]

Subcommands

Subcommand

Description

diagnose

Troubleshoot problems starting vHSM

generate-root

Generates a new root token

init

Initializes a vHSM server

key-status

Provides information about the active encryption key

members

Returns the list of nodes in the cluster

migrate

Migrates vHSM data between storage backends

raft

Interacts with vHSM's Raft storage backend

rekey

Generates new unseal keys

rotate

Rotates the underlying encryption key

seal

Seals the vHSM server, making it inaccessible

step-down

Forces vHSM to resign active duty

unseal

Unseals the vHSM server

usage

Lists historical client counts


Examples

Action
Command

Initialize a new cluster

vhsm operator init

Force vHSM to step down as leader

vhsm operator step-down

Rotate vHSM’s encryption key

vhsm operator rotate

Example Output for init

vhsm operator init
Unseal Key 1: sP/4C/fwIDjJmHEC2bi/1Pa43uKhsUQMmiB31GRzFc0R
Unseal Key 2: kHkw2xTBelbDFIMEgEC8NVX7NDSAZ+rdgBJ/HuJwxOX+
Unseal Key 3: +1+1ZnkQDfJFHDZPRq0wjFxEuEEHxDDOQxa8JJ/AYWcb
Unseal Key 4: cewseNJTLovmFrgpyY+9Hi5OgJlJgGGCg7PZyiVdPwN0
Unseal Key 5: wyd7rMGWX5fi0k36X4e+C4myt5CoTmJsHJ0rdYT7BQcF
Initial Root Token: 6662bb4a-afd0-4b6b-faad-e237fb564568

Example: Unseal vHSM server

vhsm operator unseal [options] [KEY]

The unseal command is used to provide a portion of the root key—known as an unseal key—to unseal a vHSM server. By default, vHSM starts in a sealed state and cannot perform any operations until it has been unsealed.

Providing the Unseal Key

You can supply the unseal key directly as a command-line argument:

$ vhsm operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=

⚠️ Note: Supplying the key as a command-line argument is not recommended, as it may be stored in your shell history.

Instead, run the command without arguments. You are securely prompted to enter the key and input is hidden:

$ vhsm operator unseal
Key (will be hidden): ********

Options

This command accepts standard CLI options. Use --help to view available flags:

$ vhsm operator unseal --help

Previousvhsm namespaceNextvhsm print

Last updated 2 days ago

Was this helpful?