Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

yhsm-keystore-unlock(1) [debian man page]

yhsm-keystore-unlock(1) 				      General Commands Manual					   yhsm-keystore-unlock(1)

NAME

       yhsm-keystore-unlock - Unlock the keystore in a YubiHSM

SYNOPSIS

       yhsm-keystore-unlock [options]

DESCRIPTION

       In  versions  of the YubiHSM before 1.0, the YubiHSM could be protected using a 'HSM password'. The YubiHSM would unlock it's cryptographic
       functions if the correct password was given, but it was a simple comparision test.

       In YubiHSM 1.0, the password was changed into an actual key that was used to decrypt the contents of the YubiHSM internal key store,  which
       was then AES-256 encrypted using the new 'Master key' when stored in the device.

       In  YubiHSM  1.0, the option to also require an YubiKey OTP to unlock the keystore was also added. One or more 'Admin YubiKeys' can be con-
       figured in the YubiHSM, and an OTP from one of these must also be provided before the YubiHSM will enable it's cryptographic functions.

       The OTP is simply validated against the non-encrypted internal database (not key store) in the YubiHSM though, but together with a  'Master
       key'  not  stored on the server with the YubiHSM, it provides enhanced security by being a second factor that an attacker can't just inter-
       cept even if the server is compromised.

OPTIONS

       -D, --device
	      device file name (default: /dev/ttyACM0).

       -v, --verbose
	      enable verbose operation.

       --debug
	      enable debug printout, including all data sent to/from YubiHSM.

       --no-otp
	      skip the prompt for an OTP. For use by scripts where no OTP is required and the Master Key is stored on the server with the YubiHSM.

       --stdin
	      read password and/or OTP from stdin rather than prompting for them.  Python prompts does not accept piped input, so this option have
	      to be used to unlock the YubiHSM from a script for example.

EXIT STATUS

       0   YubiHSM keystore successfully unlocked.

       1   Failed to unlock keystore.

BUGS

       Report python-pyhsm/yhsm-keystore-unlock bugs in the issue tracker <https://github.com/Yubico/python-pyhsm/issues/>

SEE ALSO

       The python-pyhsm home page <https://github.com/Yubico/python-pyhsm/>

       YubiHSMs can be obtained from Yubico <http://www.yubico.com/>.

python-pyhsm							   December 2011					   yhsm-keystore-unlock(1)

Check Out this Related Man Page

yhsm-yubikey-ksm(1)					      General Commands Manual					       yhsm-yubikey-ksm(1)

NAME

       yhsm-yubikey-ksm - Decrypt YubiKey OTPs using an attached YubiHSM

SYNOPSIS

       yhsm-yubikey-ksm --key-handles ...  [options]

DESCRIPTION

       This is a small network server with a REST-like API that decodes YubiKey OTPs.

       It can be used as a decryption backend (Key Storage Module) to a validation service such as the YubiCloud.

       The AES keys of the YubiKeys must be present as AEAD files decryptable to the attached YubiHSM. Such AEADs can for example be created using
       yhsm-import-keys(1).

       Note that this daemon is single threaded - it will only handle a single request at once.  A request timeout is therefor most important.

OPTIONS

       -D, --device
	      device file name (default: /dev/ttyACM0)

       -v, --verbose
	      enable verbose operation

       --debug
	      enable debug printout, including all data sent to/from YubiHSM

       --U, --serve-url base
	      base of URL for decrypt web service (default: /yhsm/validate?)

       --port num
	      port to listen on (default: 8002)

       --addr addr
	      address to bind to (default: 127.0.0.1)

       --key-handles kh, --key-handle kh
	      key handles to use for decoding OTPs. Examples : "1", "0xabcd".

       --aead-dir dir, -B dir
	      base directory for AEADs (default: /var/cache/yubikey-ksm/aeads)

       --reqtimeout num
	      number of seconds before a request times out (default: 5)

       --pid-file fn
	      write process id of server to this file

BUGS

       Report python-pyhsm/yhsm-yubikey-ksm bugs in the issue tracker <https://github.com/Yubico/python-pyhsm/issues/>

SEE ALSO

       The python-yubico home page <https://github.com/Yubico/python-pyhsm/>

       YubiHSMs can be obtained from Yubico <http://www.yubico.com/>.

python-pyhsm							   December 2011					       yhsm-yubikey-ksm(1)
Man Page