vhsm server
Last updated
Was this helpful?
Last updated
Was this helpful?
The vhsm server
command starts a vHSM server that responds to API requests. By default, the server starts in a sealed state, requiring initialization and unsealing before handling requests.
The vHSM cluster must be initialized using vhsm operator init
.
Each vHSM server must be unsealed using vhsm operator unseal
or the API before it can process requests.
vhsm operator init
– Initialize a new vHSM server.
vhsm operator unseal
– Unseal a vHSM server.
– Detailed configuration options for a vHSM server.
Start a vHSM server with a configuration file
Run in "dev" mode with a custom initial root token
-config
(string)
Path to a configuration file or directory. Can be specified multiple times. Supports .hcl
and .json
files.
""
-log-level
(string)
Log verbosity level: trace
, debug
, info
, warn
, error
. Can also be set via VAULT_LOG_LEVEL
.
"info"
-log-format
(string)
Log format: standard
or json
. Can also be set via VAULT_LOG_FORMAT
.
"standard"
-log-file
(string)
Prefix for the log file name. Timestamp is appended automatically.
""
-log-rotate-bytes
(int)
Maximum log file size in bytes before rotation. No limit if unspecified.
""
-log-rotate-duration
(string)
Maximum log file duration before rotation (e.g., 30s
, 24h
). Defaults to 24h
.
"24h"
-log-rotate-max-files
(int)
Maximum number of archived log files to retain. Set to -1
to discard old logs.
0
(keeps all logs)
-experiment
(string array)
Enables experimental features (not recommended for production). Can be set multiple times. Also configurable via VAULT_EXPERIMENTS
.
[]
VAULT_ALLOW_PENDING_REMOVAL_MOUNTS
(bool)
Allows starting vHSM with deprecated engines in the "Pending Removal" state. This is a temporary setting before they are fully removed.
false
-dev
(bool)
Enable development mode (in-memory, unsealed vHSM). Not for production use.
false
-dev-tls
(bool)
Enable TLS in dev mode (auto-generates CA, cert, and key). Not for production use.
false
-dev-tls-cert-dir
(string)
Directory for generated TLS files (if -dev-tls
is enabled). Defaults to a temp directory if unset.
""
-dev-listen-address
(string)
Address to bind in dev mode. Can also be set via VAULT_DEV_LISTEN_ADDRESS
.
"127.0.0.1:8200"
-dev-root-token-id
(string)
Custom root token for dev mode. Can also be set via VAULT_DEV_ROOT_TOKEN_ID
.
""
-dev-no-store-token
(bool)
Prevents storing the dev root token in the token helper. The token is only displayed in output.
false
-dev-plugin-dir
(string)
Directory from which plugins are auto-registered in dev mode.
""
Note:
The -dev-root-token-id
should not start with the s.
prefix.
The -dev
flag enables in-memory mode where vHSM is automatically unsealed, making it insecure for production.