vhsm operator
The vhsm operator
command groups subcommands for vHSM operators to manage and diagnose a vHSM server. These commands are primarily used for initialization, sealing/unsealing, key rotation, leadership management, and diagnostics.
Most end-users will not need to interact with these commands.
Usage
vhsm operator <subcommand> [options] [args]
Subcommands
Subcommand
Description
diagnose
Troubleshoot problems starting vHSM
generate-root
Generates a new root token
init
Initializes a vHSM server
key-status
Provides information about the active encryption key
members
Returns the list of nodes in the cluster
migrate
Migrates vHSM data between storage backends
raft
Interacts with vHSM's Raft storage backend
rekey
Generates new unseal keys
rotate
Rotates the underlying encryption key
seal
Seals the vHSM server, making it inaccessible
step-down
Forces vHSM to resign active duty
unseal
Unseals the vHSM server
usage
Lists historical client counts
Examples
Initialize a new cluster
vhsm operator init
Force vHSM to step down as leader
vhsm operator step-down
Rotate vHSM’s encryption key
vhsm operator rotate
Example Output for init
init
vhsm operator init
Unseal Key 1: sP/4C/fwIDjJmHEC2bi/1Pa43uKhsUQMmiB31GRzFc0R
Unseal Key 2: kHkw2xTBelbDFIMEgEC8NVX7NDSAZ+rdgBJ/HuJwxOX+
Unseal Key 3: +1+1ZnkQDfJFHDZPRq0wjFxEuEEHxDDOQxa8JJ/AYWcb
Unseal Key 4: cewseNJTLovmFrgpyY+9Hi5OgJlJgGGCg7PZyiVdPwN0
Unseal Key 5: wyd7rMGWX5fi0k36X4e+C4myt5CoTmJsHJ0rdYT7BQcF
Initial Root Token: 6662bb4a-afd0-4b6b-faad-e237fb564568
Example: Unseal vHSM server
vhsm operator unseal [options] [KEY]
The unseal
command is used to provide a portion of the root key—known as an unseal key—to unseal a vHSM server. By default, vHSM starts in a sealed state and cannot perform any operations until it has been unsealed.
Providing the Unseal Key
You can supply the unseal key directly as a command-line argument:
$ vhsm operator unseal IXyR0OJnSFobekZMMCKCoVEpT7wI6l+USMzE3IcyDyo=
⚠️ Note: Supplying the key as a command-line argument is not recommended, as it may be stored in your shell history.
Instead, run the command without arguments. You are securely prompted to enter the key and input is hidden:
$ vhsm operator unseal
Key (will be hidden): ********
Options
This command accepts standard CLI options. Use --help
to view available flags:
$ vhsm operator unseal --help
Last updated
Was this helpful?