vhsm operator
The vhsm operator
command groups subcommands for vHSM operators to manage and diagnose a vHSM server. These commands are primarily used for initialization, sealing/unsealing, key rotation, leadership management, and diagnostics.
Most end-users will not need to interact with these commands.
Usage
Subcommands
Subcommand
Description
diagnose
Troubleshoot problems starting vHSM
generate-root
Generates a new root token
init
Initializes a vHSM server
key-status
Provides information about the active encryption key
members
Returns the list of nodes in the cluster
migrate
Migrates vHSM data between storage backends
raft
Interacts with vHSM's Raft storage backend
rekey
Generates new unseal keys
rotate
Rotates the underlying encryption key
seal
Seals the vHSM server, making it inaccessible
step-down
Forces vHSM to resign active duty
unseal
Unseals the vHSM server
usage
Lists historical client counts
Examples
Initialize a new cluster
vhsm operator init
Force vHSM to step down as leader
vhsm operator step-down
Rotate vHSM’s encryption key
vhsm operator rotate
Example Output for init
init
Example: Unseal vHSM server
The unseal
command is used to provide a portion of the root key—known as an unseal key—to unseal a vHSM server. By default, vHSM starts in a sealed state and cannot perform any operations until it has been unsealed.
Providing the Unseal Key
You can supply the unseal key directly as a command-line argument:
⚠️ Note: Supplying the key as a command-line argument is not recommended, as it may be stored in your shell history.
Instead, run the command without arguments. You are securely prompted to enter the key and input is hidden:
Options
This command accepts standard CLI options. Use --help
to view available flags:
Last updated
Was this helpful?