vhsm secrets tune
The vhsm secrets tune
command modifies the configuration settings for a secrets engine at a specified path. This does not modify the secrets engine type but updates its configuration parameters.
Usage
vhsm secrets tune [options] <path>
Examples
Example1: View current configuration for "pki/"
vhsm read sys/mounts/pki/tune
Output
Key Value
--- -----
default_lease_ttl 12h
description Example PKI mount
force_no_cache false
max_lease_ttl 24h
Example 2: Tune default lease TTL and exclude fields from HMAC in audit logs
vhsm secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/
Output
Success! Tuned the secrets engine at: pki/
Example 3: Verify configuration after tuning
vhsm read sys/mounts/pki/tune
Output
Key Value
--- -----
audit_non_hmac_request_keys [common_name]
audit_non_hmac_response_keys [serial_number]
default_lease_ttl 18h
description Example PKI mount
force_no_cache false
max_lease_ttl 24h
Example 4: Specify multiple non-HMAC audit request keys
vhsm secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/
Available Options
-allowed-response-headers=<string>
Response header values the secrets engine can set. Multiple keys can be provided by using this option multiple times.
-audit-non-hmac-request-keys=<string>
Request data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.
-audit-non-hmac-response-keys=<string>
Response data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.
-default-lease-ttl=<duration>
Default lease TTL for this secrets engine. Uses duration format (e.g., 30m
, 12h
).
-description=<string>
Updates the human-readable description of the mount.
-listing-visibility=<string>
Controls mount visibility in the UI. Options: "unauth"
, "hidden"
. Empty value keeps the current setting.
-max-lease-ttl=<duration>
Maximum lease TTL for the secrets engine. Can override global vHSM settings.
-passthrough-request-headers=<string>
Headers forwarded to the secrets engine. Multiple keys can be specified separately.
-allowed-managed-keys=<string>
Specifies which managed key(s) the mount can access. Use a comma-separated list or multiple instances of the flag.
-plugin-version=<string>
Sets the plugin version for the mount. The mount must be reloaded for changes to take effect.
Last updated
Was this helpful?