Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Usage
  • Examples
  • Options
  • Development mode options

Was this helpful?

  1. vHSM CLI
  2. Server and Infrastructure Management

vhsm server

PreviousServer and Infrastructure ManagementNextvhsm proxy

Last updated 2 months ago

Was this helpful?

The vhsm server command starts a vHSM server that responds to API requests. By default, the server starts in a sealed state, requiring initialization and unsealing before handling requests.

  • The vHSM cluster must be initialized using vhsm operator init.

  • Each vHSM server must be unsealed using vhsm operator unseal or the API before it can process requests.

Related Commands

  • vhsm operator init – Initialize a new vHSM server.

  • vhsm operator unseal – Unseal a vHSM server.

  • – Detailed configuration options for a vHSM server.

Usage

vhsm server [options]

Examples

Start a vHSM server with a configuration file

vhsm server -config=/etc/vault/config.json

Run in "dev" mode with a custom initial root token

vhsm server -dev -dev-root-token-id="root"

Options

General server options

Flag
Description
Default

-config (string)

Path to a configuration file or directory. Can be specified multiple times. Supports .hcl and .json files.

""

-log-level (string)

Log verbosity level: trace, debug, info, warn, error. Can also be set via VAULT_LOG_LEVEL.

"info"

-log-format (string)

Log format: standard or json. Can also be set via VAULT_LOG_FORMAT.

"standard"

-log-file (string)

Prefix for the log file name. Timestamp is appended automatically.

""

-log-rotate-bytes (int)

Maximum log file size in bytes before rotation. No limit if unspecified.

""

-log-rotate-duration (string)

Maximum log file duration before rotation (e.g., 30s, 24h). Defaults to 24h.

"24h"

-log-rotate-max-files (int)

Maximum number of archived log files to retain. Set to -1 to discard old logs.

0 (keeps all logs)

-experiment (string array)

Enables experimental features (not recommended for production). Can be set multiple times. Also configurable via VAULT_EXPERIMENTS.

[]

Environment variable

Variable
Description
Default

VAULT_ALLOW_PENDING_REMOVAL_MOUNTS (bool)

Allows starting vHSM with deprecated engines in the "Pending Removal" state. This is a temporary setting before they are fully removed.

false

Development mode options

Flag
Description
Default

-dev (bool)

Enable development mode (in-memory, unsealed vHSM). Not for production use.

false

-dev-tls (bool)

Enable TLS in dev mode (auto-generates CA, cert, and key). Not for production use.

false

-dev-tls-cert-dir (string)

Directory for generated TLS files (if -dev-tls is enabled). Defaults to a temp directory if unset.

""

-dev-listen-address (string)

Address to bind in dev mode. Can also be set via VAULT_DEV_LISTEN_ADDRESS.

"127.0.0.1:8200"

-dev-root-token-id (string)

Custom root token for dev mode. Can also be set via VAULT_DEV_ROOT_TOKEN_ID.

""

-dev-no-store-token (bool)

Prevents storing the dev root token in the token helper. The token is only displayed in output.

false

-dev-plugin-dir (string)

Directory from which plugins are auto-registered in dev mode.

""

Note:

  • The -dev-root-token-id should not start with the s. prefix.

  • The -dev flag enables in-memory mode where vHSM is automatically unsealed, making it insecure for production.

vHSM Configuration