Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page

Was this helpful?

  1. vHSM CLI
  2. Secret Management

vhsm unwrap

Learn to unwarp a wrapped secret from vHSM using a wrapping token.

The unwrap command is used to unwrap a wrapped secret from vHSM using a wrapping token. This operation is functionally equivalent to a vhsm read on the original secret. It is commonly used for secure transmission of sensitive information, such as credentials or temporary tokens.

If no token is provided, the unwrap operation will attempt to unwrap the secret associated with the currently authenticated token.

Usage

vhsm unwrap [options] [TOKEN]
  • TOKEN: (Optional) The wrapping token to unwrap. If omitted, the current authentication token is used.

Examples

  • Unwrap a wrapped secret using a specific token:

vhsm unwrap 3de9ece1-b347-e143-29b0-dc2dc31caafd
  • Unwrap the secret associated with the currently authenticated token:

vhsm login 848f9ccf-7176-098c-5e2b-75a0689d41cd
vhsm unwrap

HTTP Options

Option
Description

-address=<string>

Address of the vHSM server. Default: https://127.0.0.1:8200. Can also be set via VAULT_ADDR.

-agent-address=<string>

Address of the Agent. Also configurable via VAULT_AGENT_ADDR.

-ca-cert=<string>

Path to a PEM-encoded CA certificate file to verify the vHSM server's certificate. Overrides -ca-path. Also configurable via VAULT_CACERT.

-ca-path=<string>

Path to a directory of PEM-encoded CA certificates. Also configurable via VAULT_CAPATH.

-client-cert=<string>

Path to a client certificate for TLS authentication. Requires -client-key. Also settable via VAULT_CLIENT_CERT.

-client-key=<string>

Path to the private key matching the -client-cert. Also settable via VAULT_CLIENT_KEY.

-disable-redirects

Prevents following HTTP redirects. Default is false. Also configurable via VAULT_DISABLE_REDIRECTS.

-header=<key=value>

Additional HTTP headers (cannot start with X-Vault-). Can be specified multiple times.

-mfa=<string>

Multi-Factor Authentication credentials. Also settable via VAULT_MFA.

-namespace=<string>

Namespace to use. Shortcut: -ns. Also settable via VAULT_NAMESPACE.

-non-interactive

Disables interactive prompts. Useful for automation. Default is false.

-output-curl-string

Prints an equivalent curl command instead of executing.

-output-policy

Prints an example HCL policy required for this command.

-policy-override

Overrides soft-mandatory Sentinel policies.

-tls-server-name=<string>

Sets the SNI host for TLS. Also settable via VAULT_TLS_SERVER_NAME.

-tls-skip-verify

Skips TLS certificate verification. Not recommended. Also settable via VAULT_SKIP_VERIFY.

-unlock-key=<string>

Key used to unlock a namespace API lock.

-wrap-ttl=<duration>

Wraps the response in a cubbyhole token with a TTL (e.g., 30s, 5m). Also settable via VAULT_WRAP_TTL.

Output Options

Option
Description

-field=<string>

Output only a specific field. No trailing newline. Useful for piping output.

-format=<string>

Output format: table, json, yaml, pretty. Default is table. Settable via VAULT_FORMAT. raw is allowed only for vhsm read.

Previousvhsm secrets tuneNextConfiguration and Management

Last updated 2 months ago

Was this helpful?