Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Case sensitivity
  • Usage
  • Examples
  • Available Options

Was this helpful?

  1. vHSM CLI
  2. Secret Management
  3. vhsm secrets

vhsm secrets enable

Learn to enable secrets engine at a specific path.

This command enables a secrets engine at a given path. If a secrets engine already exists at the specified path, an error appears. After enabling the engine, additional configuration is usually required, which varies based on the engine type.

By default, secrets engines are enabled at a path corresponding to their TYPE, but users can customize this using the -path option.

Note:

  • Some secrets engines persist data, some act as a data pass-through, and others generate dynamic credentials.

  • For specific configuration options, refer to the secrets engine documentation.

Case sensitivity

The path where secrets engines are enabled is case-sensitive. For example:

  • Enabling a KV secrets engine at kv/ and KV/ creates two distinct instances of KV secrets engines.

Usage

vhsm secrets enable [options] <type>

Examples

Enable the AWS secrets engine at aws/

vhsm secrets enable aws

Output

Success! Enabled the AWS secrets engine at: aws/
  • Enable the SSH secrets engine at a custom path (ssh-prod/)

    vhsm secrets enable -path=ssh-prod ssh
  • Enable the database secrets engine with a maximum TTL of 30m

    vhsm secrets enable -max-lease-ttl=30m database
  • Enable a custom plugin (my-plugin) after registration

    vhsm secrets enable -path=my-secrets my-plugin

Available Options

Option
Description

-audit-non-hmac-request-keys=<string>

Keys not HMAC'd by audit devices in the request data. Can be specified multiple times.

-audit-non-hmac-response-keys=<string>

Keys not HMAC'd by audit devices in the response data. Can be specified multiple times.

-default-lease-ttl=<duration>

Default lease TTL for the secrets engine. Uses vHSM server's default if unspecified.

-description=<string>

Human-readable description of the secrets engine.

-force-no-cache

Disables caching for the secrets engine. Defaults to vHSM's global settings.

-local

Marks the secrets engine as local-only (not replicated).

-max-lease-ttl=<duration>

Maximum lease TTL for the secrets engine. Uses vHSM’s max TTL if unspecified.

-path=<string>

Custom path where the secrets engine is accessible. Defaults to the type of the engine. Paths are case-sensitive.

-passthrough-request-headers=<string>

Request headers passed to the secrets engine. Can be specified multiple times.

-allowed-response-headers=<string>

Response headers the secrets engine is allowed to set. Can be specified multiple times.

-allowed-managed-keys=<string>

Managed key names the mount can access. Can be a comma-separated list or specified multiple times.

-plugin-version=<string>

Specifies the plugin's semantic version to use. Defaults to built-in or unversioned plugin.

Previousvhsm secretsNextvhsm secrets disable

Last updated 2 months ago

Was this helpful?