Command Reference
Operator-oriented reference for Vaulthalla CLI command families and common examples.
Command Reference
This is an operator reference for the command families exposed through vh. Use vh help <namespace> on the host for the exact help text shipped by the installed version.
Global
| Command | Purpose |
|---|---|
vh help | Show root help. |
vh help <namespace> | Show help for a namespace or subcommand. |
vh version | Print the installed CLI version. |
vh status | Print runtime/service status. |
Setup And Teardown
1vh setup assign-admin2sudo vh setup db3sudo vh setup remote-db --host <host> --port 5432 --user <user> --database <name> --password-file <path>4sudo vh setup nginx --domain vault.example.com5sudo vh setup nginx --domain vault.example.com --certbot6sudo vh teardown nginx7sudo vh teardown dbsetup assign-admin is a normal CLI command. The database, remote database, Nginx, and teardown commands are privileged lifecycle commands and should be run with sudo.
Users
Aliases include vh users, vh user, and vh u.
1vh user create <username> --role <role-or-id> [--email <email>] [--linux-uid <uid>]2vh user info <username-or-id>3vh user update <username-or-id> --name <new-name> --email <email> --role <role-or-id> --linux-uid <uid>4vh user delete <username-or-id>The built-in super_admin role and user are protected from normal create, update, and delete operations.
Groups
1vh group create <name> [--desc <description>] [--linux-gid <gid>]2vh group info <name-or-id>3vh group update <name-or-id> --name <new-name> --desc <description> --linux-gid <gid>4vh group delete <name-or-id>5vh group user add <group> <user>6vh group user remove <group> <user>7vh group users <group>Use groups when permissions should follow a team rather than an individual user.
Roles And Permissions
List supported permissions:
1vh permissions2vh permissions --type user3vh permissions --type vaultAdmin roles:
1vh role admin list2vh role admin info <role>3vh role admin create <name> --manage-users --manage-vaults4vh role admin update <role> --audit-log-access5vh role admin delete <role>Vault roles:
1vh role vault list2vh role vault info <role>3vh role vault create <name> --list --download --sync4vh role vault update <role> --share5vh role vault delete <role>Admin permissions include user, group, role, vault, API key, encryption key, audit, and admin management capabilities. Vault permissions include list, create, download, delete, rename, move, share, sync, version, tag, metadata, file lock, access, and vault management capabilities.
API Keys
Aliases include vh api-key, vh aku, and vh ak.
1vh api-key list2vh api-key create <name> \3 --access <access-key> \4 --secret <secret-key> \5 --provider <provider> \6 --endpoint <url> \7 [--region <region>]8vh api-key info <name-or-id>9vh api-key delete <name-or-id>Supported provider values include aws, cloudflare-r2, wasabi, backblaze-b2, digitalocean, minio, ceph, storj, and other.
Cloudflare R2 example:
1vh api-key create r2-main \2 --access <access-key> \3 --secret <secret-key> \4 --provider cloudflare-r2 \5 --endpoint https://<account-id>.r2.cloudflarestorage.comThe endpoint is required. The default region is auto.
Vaults
1vh vaults2vh vaults --local3vh vaults --s3 --limit 54vh vaults --json5vh vault info <id-or-name> [--owner <user-or-id>]6vh vault delete <id-or-name> [--owner <user-or-id>]Create a local vault:
1vh vault create docs --local --desc "Team documents" --quota 50G --on-sync-conflict keep_bothCreate an S3/R2 vault:
1vh vault create archive \2 --s3 \3 --api-key r2-main \4 --bucket vaulthalla-archive \5 --sync-strategy cache \6 --on-sync-conflict keep_local \7 --encryptUpdate a vault:
1vh vault update archive --sync-strategy sync --interval 15mVault Access
Assign a vault role to a user or group:
1vh vault role assign <vault> <role-id> --user alice2vh vault role assign <vault> <role-id> --group operatorsRemove a vault role:
1vh vault role unassign <vault> <role-id> --user alice2vh vault role list <vault>Add permission overrides for a path pattern:
1vh vault role override add <vault> --user alice --pattern "/finance/*" --download --disable2vh vault role override list <vault>3vh vault role override remove <vault> <override-id>Sync
1vh vault sync <vault>2vh vault sync info <vault>3vh vault sync set <vault> --interval 15m4vh vault sync dry-run <vault>5vh vault sync inventory <vault> --file inventory.csv6vh vault sync events <vault> --file s3-events.json7vh vault sync reconcile <vault> --allow-list-scanS3/R2 sync policy fields include strategy, conflict policy, interval, request budgets, and maximum remote-index age. See Sync and Request Budgets.
Vault Keys
1vh vault keys export <vault-or-all> --recipient <gpg-fingerprint> --output vaulthalla-vault-keys.json.gpg2vh vault keys export <vault-or-all> --output vaulthalla-vault-keys.json3vh vault keys rotate <vault-or-all> [--sync-now]Unencrypted key exports are dangerous. Prefer --recipient and --output.
Internal Secrets
1vh secret set db-password /root/db-password2vh secret set jwt-secret /root/jwt-secret3vh secret export db-password --recipient <gpg-fingerprint> --output db-password.json.gpg4vh secret export jwt-secret --recipient <gpg-fingerprint> --output jwt-secret.json.gpg5vh secret export all --recipient <gpg-fingerprint> --output vaulthalla-secrets.json.gpgsecret set reads the secret value from the file path you pass.
Pricing Budgets
1vh pricing budget list2vh pricing budget set-global --mode warn --max-daily 5 --currency USD3vh pricing budget set-provider aws-s3 --mode enforce --max-run 1 --max-daily 104vh pricing budget set-vault <vault> --mode report --max-run 0.255vh pricing budget status6vh pricing budget ledger --limit 1007vh pricing budget disable-vault <vault>See Price Budgets.
1vh email provider resend set2vh email provider ses set3vh email doctor4vh email test --dry-run5vh email test --send --to [email protected]6vh email history --limit 100See Operator Emails.