yubihsm-shell - Man Page

yubihsm-shell [OPTION]...

-h,  --help

Print help and exit

-V,  --version

Print version and exit

-a,  --action=ENUM

Action to perform  (possible values="benchmark", "blink-device", "create-otp-aead", "decrypt-aesccm", "decrypt-aescbc", "decrypt-aesecb", "decrypt-oaep", "decrypt-otp", "decrypt-pkcs1v15", "delete-object", "derive-ecdh", "encrypt-aesccm", "encrypt-aescbc", "encrypt-aesecb", "generate-asymmetric-key", "generate-hmac-key", "generate-otp-aead-key", "generate-wrap-key", "generate-symmetric-key", "get-device-info", "get-logs", "get-object-info", "get-opaque", "get-option", "get-pseudo-random", "get-public-key", "get-storage-info", "get-template", "get-wrapped", "get-rsa-wrapped", "get-rsa-wrapped-key", "get-device-pubkey", "list-objects", "put-asymmetric-key", "put-authentication-key", "put-hmac-key", "put-opaque", "put-option", "put-otp-aead-key", "put-symmetric-key", "put-template", "put-wrap-key", "put-rsa-wrapkey", "put-public-wrapkey", "put-wrapped", "put-rsa-wrapped", "put-rsa-wrapped-key", "randomize-otp-aead", "reset", "set-log-index", "sign-attestation-certificate", "sign-ecdsa", "sign-eddsa", "sign-hmac", "sign-pkcs1v15", "sign-pss", "sign-ssh-certificate")

-p,  --password=STRING

Authentication password

--authkey=INT

Authentication key  (default=`1')

-i,  --object-id=SHORT

Object ID  (default=`0')

-l,  --label=STRING

Object label  (default=`')

-d,  --domains=STRING

Object domains (default=`1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16')

-c,  --capabilities=STRING

Capabilities for an object  (default=`0')

-t,  --object-type=STRING

Object type  (default=`any')

-y,  --ykhsmauth-label=STRING

Credential label on YubiKey (implicitly enables ykhsmauth)

-r,  --ykhsmauth-reader=STRING Only use a matching YubiKey reader name

(default=`')

--delegated=STRING

Delegated capabilities  (default=`0')

--new-password=STRING

New authentication password

-A,  --algorithm=STRING

Operation algorithm  (default=`any')

--oaep=STRING

OAEP algorithm. Used primarily with asymmetric wrap  (default=`rsa-oaep-sha256')

--mgf1=STRING

MGF1 algorithm. Used primarily with asymmetric wrap  (default=`mgf1-sha256')

--nonce=INT

OTP nonce

--iv=STRING

An initialization vector as a hexadecimal string

--count=INT

Number of bytes to request  (default=`256')

--duration=INT

Blink duration in seconds  (default=`10')

--wrap-id=INT

Wrap key ID

--include-seed

Include seed when exporting an ED25519 key under wrap  (default=off)

--template-id=INT

Template ID

--attestation-id=INT

Attestation ID

--log-index=INT

Log index

--opt-name=STRING

Device option name

--opt-value=STRING

Device option value

--in=STRING

Input data (filename)  (default=`-')

--out=STRING

Output data (filename)  (default=`-')

--informat=ENUM

Input format  (possible values="default", "base64", "binary", "PEM", "password", "hex", "ASCII" default=`default')

--outformat=ENUM

Input and output format  (possible values="default", "base64", "binary", "PEM", "hex", "ASCII" default=`default')

-f,  --config-file=STRING

Configuration file to read  (default=`')

-C,  --connector=STRING

List of connectors to use

--cacert=STRING

HTTPS cacert for connector

--cert=STRING

HTTPS client certificate to authenticate with

--key=STRING

HTTPS client certificate key

--proxy=STRING

Proxy server to use for connector

--noproxy=STRING

Comma separated list of hosts ignore proxy for

-v,  --verbose=INT

Print more information  (default=`0')

-P,  --pre-connect

Connect immediately in interactive mode (default=off)

--device-pubkey=STRING

List of device public keys allowed for asymmetric authentication