vhsm secrets tune

The vhsm secrets tune command modifies the configuration settings for a secrets engine at a specified path. This does not modify the secrets engine type but updates its configuration parameters.

Before tuning, check the current configuration using: vhsm read sys/mounts/<path>/tune

Usage

vhsm secrets tune [options] <path>

Examples

Example1: View current configuration for "pki/"

vhsm read sys/mounts/pki/tune

Output

Key                             Value
---                             -----
default_lease_ttl               12h
description                     Example PKI mount
force_no_cache                  false
max_lease_ttl                   24h

Example 2: Tune default lease TTL and exclude fields from HMAC in audit logs

vhsm secrets tune -default-lease-ttl=18h -audit-non-hmac-request-keys=common_name -audit-non-hmac-response-keys=serial_number pki/

Output

Success! Tuned the secrets engine at: pki/

Example 3: Verify configuration after tuning

vhsm read sys/mounts/pki/tune

Output

Key                             Value
---                             -----
audit_non_hmac_request_keys     [common_name]
audit_non_hmac_response_keys    [serial_number]
default_lease_ttl               18h
description                     Example PKI mount
force_no_cache                  false
max_lease_ttl                   24h

Example 4: Specify multiple non-HMAC audit request keys

vhsm secrets tune -audit-non-hmac-request-keys=common_name -audit-non-hmac-request-keys=ttl pki/

Available Options

Option
Description

-allowed-response-headers=<string>

Response header values the secrets engine can set. Multiple keys can be provided by using this option multiple times.

-audit-non-hmac-request-keys=<string>

Request data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.

-audit-non-hmac-response-keys=<string>

Response data keys excluded from HMAC in audit logs. Use multiple times for multiple keys.

-default-lease-ttl=<duration>

Default lease TTL for this secrets engine. Uses duration format (e.g., 30m, 12h).

-description=<string>

Updates the human-readable description of the mount.

-listing-visibility=<string>

Controls mount visibility in the UI. Options: "unauth", "hidden". Empty value keeps the current setting.

-max-lease-ttl=<duration>

Maximum lease TTL for the secrets engine. Can override global vHSM settings.

-passthrough-request-headers=<string>

Headers forwarded to the secrets engine. Multiple keys can be specified separately.

-allowed-managed-keys=<string>

Specifies which managed key(s) the mount can access. Use a comma-separated list or multiple instances of the flag.

-plugin-version=<string>

Sets the plugin version for the mount. The mount must be reloaded for changes to take effect.

Last updated

Was this helpful?