yubihsm-shell - manual page for yubihsm-shell 2.6.0
yubihsm-shell [OPTION]...
- -h, --help
- Print help and exit
- -V, --version
- Print version and exit
- -a,
--action=ENUM
- Action to perform (possible values="benchmark",
"blink-device", "create-otp-aead",
"decrypt-aesccm", "decrypt-aescbc",
"decrypt-aesecb", "decrypt-oaep",
"decrypt-otp", "decrypt-pkcs1v15",
"delete-object", "derive-ecdh",
"encrypt-aesccm", "encrypt-aescbc",
"encrypt-aesecb", "generate-asymmetric-key",
"generate-hmac-key", "generate-otp-aead-key",
"generate-wrap-key", "generate-symmetric-key",
"get-device-info", "get-logs",
"get-object-info", "get-opaque",
"get-option", "get-pseudo-random",
"get-public-key", "get-storage-info",
"get-template", "get-wrapped",
"get-rsa-wrapped", "get-rsa-wrapped-key",
"get-device-pubkey", "list-objects",
"put-asymmetric-key", "put-authentication-key",
"put-hmac-key", "put-opaque", "put-option",
"put-otp-aead-key", "put-symmetric-key",
"put-template", "put-wrap-key",
"put-rsa-wrapkey", "put-public-wrapkey",
"put-wrapped", "put-rsa-wrapped",
"put-rsa-wrapped-key", "randomize-otp-aead",
"reset", "set-log-index",
"sign-attestation-certificate", "sign-ecdsa",
"sign-eddsa", "sign-hmac", "sign-pkcs1v15",
"sign-pss", "sign-ssh-certificate")
- -p,
--password=STRING
- Authentication password
- --authkey=INT
- Authentication key (default=`1')
- -i,
--object-id=SHORT
- Object ID (default=`0')
- -l,
--label=STRING
- Object label (default=`')
- -d,
--domains=STRING
- Object domains (default=`1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16')
- -c,
--capabilities=STRING
- Capabilities for an object (default=`0')
- -t,
--object-type=STRING
- Object type (default=`any')
- -y,
--ykhsmauth-label=STRING
- Credential label on YubiKey (implicitly enables ykhsmauth)
- -r,
--ykhsmauth-reader=STRING Only use a matching YubiKey reader
name
- (default=`')
- --delegated=STRING
- Delegated capabilities (default=`0')
- --new-password=STRING
- New authentication password
- -A,
--algorithm=STRING
- Operation algorithm (default=`any')
- --oaep=STRING
- OAEP algorithm. Used primarily with asymmetric wrap
(default=`rsa-oaep-sha256')
- --mgf1=STRING
- MGF1 algorithm. Used primarily with asymmetric wrap
(default=`mgf1-sha256')
- --nonce=INT
- OTP nonce
- --iv=STRING
- An initialization vector as a hexadecimal string
- --count=INT
- Number of bytes to request (default=`256')
- --duration=INT
- Blink duration in seconds (default=`10')
- --wrap-id=INT
- Wrap key ID
- --include-seed
- Include seed when exporting an ED25519 key under wrap (default=off)
- --template-id=INT
- Template ID
- --attestation-id=INT
- Attestation ID
- --log-index=INT
- Log index
- --opt-name=STRING
- Device option name
- --opt-value=STRING
- Device option value
- --in=STRING
- Input data (filename) (default=`-')
- --out=STRING
- Output data (filename) (default=`-')
- --informat=ENUM
- Input format (possible values="default", "base64",
"binary", "PEM", "password",
"hex", "ASCII" default=`default')
- --outformat=ENUM
- Input and output format (possible values="default",
"base64", "binary", "PEM", "hex",
"ASCII" default=`default')
- -f,
--config-file=STRING
- Configuration file to read (default=`')
- -C,
--connector=STRING
- List of connectors to use
- --cacert=STRING
- HTTPS cacert for connector
- --cert=STRING
- HTTPS client certificate to authenticate with
- --key=STRING
- HTTPS client certificate key
- --proxy=STRING
- Proxy server to use for connector
- --noproxy=STRING
- Comma separated list of hosts ignore proxy for
- -v,
--verbose=INT
- Print more information (default=`0')
- -P,
--pre-connect
- Connect immediately in interactive mode (default=off)
- --device-pubkey=STRING
- List of device public keys allowed for asymmetric authentication