Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Examples
  • Output
  • Options

Was this helpful?

  1. vHSM CLI
  2. Secret Management

vhsm delete

Lean to remove the secrets and configurations from vHSM server.

The vhsm delete command removes secrets and configuration from vHSM at the specified path. The behavior of this command is delegated to the backend corresponding to the given path.

Usage

vhsm delete [options] PATH

Examples

Example 1: Remove a Secret from the Static Secrets Engine

vhsm delete secret/my-secret

This command deletes the secret stored at secret/my-secret.

Example 2: Uninstall an Encryption Key in the Transit Backend

vhsm delete transit/keys/my-key

Note: Some encryption keys may require additional configuration to allow deletion.

Example 3: Delete an IAM Role

vhsm delete aws/roles/ops

This removes the IAM role named ops from the AWS backend.

Output

The vhsm delete command does not return any output upon successful execution. If an error occurs, vHSM will return an appropriate error message.

Options

HTTP Options

Option
Type
Description

-address

<string>

Address of the vHSM server (default: https://127.0.0.1:8200). Can be set via VAULT_ADDR.

-agent-address

<string>

Address of the Agent. Can be set via VAULT_AGENT_ADDR.

-ca-cert

<string>

Path to a PEM-encoded CA certificate for verifying the vHSM server's SSL certificate. Can be set via VAULT_CACERT.

-ca-path

<string>

Path to a directory of PEM-encoded CA certificates. Can be set via VAULT_CAPATH.

-client-cert

<string>

Path to a client certificate for TLS authentication. Requires -client-key. Can be set via VAULT_CLIENT_CERT.

-client-key

<string>

Path to a private key matching the client certificate. Can be set via VAULT_CLIENT_KEY.

-disable-redirects

<boolean>

Disable client behavior that follows a single redirect (default: false). Can be set via VAULT_DISABLE_REDIRECTS.

-header

<key=value>

Key-value pair added as an HTTP header. Cannot start with X-Vault-.

-mfa

<string>

Supply MFA credentials as part of the X-Vault-MFA header. Can be set via VAULT_MFA.

-namespace

<string>

Specify the namespace for the command. Can be set via VAULT_NAMESPACE.

-non-interactive

<boolean>

Prevents user input prompts (default: false).

-output-curl-string

<boolean>

Prints an equivalent cURL command instead of executing the request (default: false).

-output-policy

<boolean>

Prints an example HCL policy instead of executing the request (default: false).

-policy-override

<boolean>

Overrides a Sentinel policy with soft-mandatory enforcement (default: false).

-tls-server-name

<string>

Name to use as the SNI host when connecting via TLS. Can be set via VAULT_TLS_SERVER_NAME.

-tls-skip-verify

<boolean>

Disable TLS certificate verification (default: false). Not recommended. Can be set via VAULT_SKIP_VERIFY.

-unlock-key

<string>

Key to unlock a namespace API lock.

-wrap-ttl

<duration>

Wraps the response in a cubbyhole token with a specified TTL (e.g., 30s, 5m). Can be set via VAULT_WRAP_TTL.

Output Options

Option
Type
Description

Description

-field

<string>

Prints only the specified field. Useful for piping output.

-format

<string>

Defines output format: table, json, yaml, pretty. raw is allowed for vhsm read operations only. Can be set via VAULT_FORMAT.

Previousvhsm writeNextvhsm list

Last updated 2 months ago

Was this helpful?