.. hsm2-cmd-reference.rst .. _hsm2-cmd-reference-label: ========================== YubiHSM Command Reference ========================== This section contains a list of the commands supported by the YubiHSM 2. .. IMPORTANT:: The YubiHSM 2 is certified at https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3916[FIPS 140-2 Level 3]. The low-level format for each command message and the relative response is provided, together with an example of how that command can be used within the :ref:`hsm2-java-code-signing-label`. .. _hsm2-cmd-open-session-label: OPEN SESSION Command ===================== This command is the combination of sending two commands in sequence to the YubiHSM: * The command to create a session * The command to authenticate the session The user of yubihsm-shell does not need to run these commands separately as that is taken care of by the session open command that uses those two commands behind the scenes. Opens an authenticated session to the device. Subsequent commands can be communicated to the device over this authenticated session. Interactive Mode ----------------- .. code-block:: bash $ yubihsm> session open w:authkey, i:password=- Parameters ~~~~~~~~~~~ * **authkey** Required. Authentication key object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **password** The password used to authenticate the session. The password is prompted for if not specified. Example ~~~~~~~~ Create a new session with Authentication Key 1 using the password ``password``. This does both the session creation and authentication steps. .. code-block:: bash $ yubihsm> session open 1 password Created session 0 Command Line Mode ------------------ A session is automatically created when executing yubihsm-shell commands on the command line. .. _hsm2-cmd-authenticate-session-label: AUTHENTICATE SESSION Command ============================= Complete the mutual authentication process started with :ref:`hsm2-cmd-create-session-label`. **Finish the Session negotiation and authenticate the Session to the device. After this command completes successfully the Session is authenticated and can be used.** Shell Example -------------- Create a new Session with Authentication Key ``1`` using the password ``password``, this performs both the creation and authentication steps. .. code-block:: bash $ yubihsm> session open 1 password Created session 0 Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x04 Lc = 17 Vc = S || B || M where -- ``S`` = Session ID (1 byte) ``B`` = Host Cryptogram (8 bytes) ``M`` = CMAC(S-MAC, 016 || T || Lc + 8 || S || B) (8 bytes) This is the first authenticated message in the chain. The device verifies M and B, both using S-MAC. Response ~~~~~~~~~ .. code-block:: bash Tr = 0x84 Lr = 0 Vr = Ø .. _hsm2-cmd-open-session-asymmetric-label: OPEN SESSION ASYMMETRIC Command ================================ Available with firmware version 2.3.1 or later. Opens an authenticated session to the device using an asymmetric key. The YubiHSM2 and a client should have exchanged public keys earlier. The asymmetric keys are created from the curve EC-P256. A session opened with an asymmetric authentication key does not need to be authenticated separately. The command is immediately usable if the CREATE SESSION command is successful. Subsequent commands can be communicated to the device over this authenticated session. Interactive Mode ------------------- .. code-block:: bash $ yubihsm> open_asym w:authkey,i:privkey=- Parameters ~~~~~~~~~~~ * **authkey** Required. ObjectID of the asymmetric authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal * **privkey** Required. The private key to open the session with Possible Values: Password, path to file or “-“ for stdin Default format: PEM Example ~~~~~~~~ Create a new session with Authentication Key 100 using a private key stored in ```priv.key``. This does both the session creation and authentication steps. .. code-block:: bash $ yubihsm> session open_asym 100 priv.key Created session 0 Command Line Mode ------------------- Asymmetric authentication keys cannot be used in command line mode. Protocol Details ----------------- Command ~~~~~~~~~ .. code-block:: bash Tc = 0x03 Lc = 67 Vc = I || K Where -- ``I`` = Key ID of an asymmetric authentication key (2 bytes) ``K`` = Ephemeral client public key (65 bytes) On success the device generates a Session ID ``S`` (1 byte) and sets the message counter for the current Session to ``1``. The error ERROR_INV_DATA if ``K`` is not a valid EC-P256 key. Response ~~~~~~~~~~ .. code-block:: bash Tr = 0x83 Lr = 82 Vr = S || Kd || R Where -- ``S`` = Session ID (1 bytes) ``Kd`` = Ephemeral device public key (65 bytes) ``R`` = Recipient (16 bytes) .. _hsm2-cmd-blink-device-label: BLINK DEVICE Command ===================== Blink the LED of the device to identify it. This device must be sent over an authenticated session. Shell Example -------------- Blink the device for 15 seconds. .. code-block:: bash $ yubihsm> blink 0 15 Interactive Mode ----------------- .. code-block:: bash $ yubihsm> blink e:session, b:seconds=10 Parameters ~~~~~~~~~~~ * **seconds** Number of seconds to blink. Default Value: 10 * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Blink the device for ``15`` seconds. .. code-block:: bash $ yubihsm> blink 0 15 Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a blink-device [ --authkey -p --duration ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **--duration=INT** Number of seconds to blink. Default Value: 10 * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password is prompted for if not specified. Example ~~~~~~~~ Blink the device for 15 seconds. .. code-block:: bash $ yubihsm-shell -a blink-device --duration 15 Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x6b Lc = 1 Vc = S where -- ``S`` = Seconds to blink for (1 byte) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xeb Lr = 0 Vr = Ø .. _hsm2-cmd-change-asymmetric-auth-key-label: CHANGE ASYMMETRIC AUTHENTICATION KEY Command ============================================= Available with firmware version 2.3.1 or later. Replace the Asymmetric Authentication Key used to establish the current Session. It is not possible to modify any of the metadata connected to the Object such as Domains or Capabilities. Only the public key will be modified. This command must be sent over an authenticated session. Interactive Mode ----------------- .. code-block:: bash $ yubihsm> change authkey_asym e:session,w:key_id,i:pubkey=- Parameters ~~~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. ObjectID of the authentication key used to open the current session and whose public key will be changed. Object ID is a 2 bytes integer. Can be specified in hex or decimal * **pubkey** The new public key. * When using stdin, click CTRL-D to mark end of input. * Input format for a password string is ``password``. * If ``password`` format is used, the tool will derive an ec-p256 private key from the input string and calculate the public key from that. The private key is not used for anything else. Possible Values: File containing the client’s public key as an uncompressed ec-p256 public key, ``password`` or ``-`` for stdin Default Value: stdin Possible Format for public key file: PEM, HEX, binary Default format: PEM Example ~~~~~~~~ Change the current Asymmetric Authentication Key to ``newkey.pub``: .. code-block:: bash $ yubihsm> change authkey_asym 0 100 newkey.pub Changed Authentication key 0x0064 Command Line Mode ------------------ This command is not available in command line mode. Protocol Details ----------------- Command ~~~~~~~~~~ .. code-block:: bash Tc = 0x6c Lc = 2 + 1 + 16 + 16 Vc = I || A || Key Replace the currently used Authentication Key with a new set of keys. Where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the Authentication Key (2 bytes) ``A`` = :ref:`hsm2-concepts-algorithms-label` (1 byte) (ec-p256-yubico-authentication = 0x31) ``Key`` = Uncompressed EC-P256 public key (64 bytes) Response ~~~~~~~~~~ .. code-block:: bash Tr = 0xec Lr = 2 Vr = I Where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the changed Object (2 bytes) .. Note:: This command returns ERROR_INV_DATA if Key is not a valid EC-P256 key. .. _hsm2-cmd-change-auth-key-label: CHANGE AUTHENTICATION KEY Command =================================== Available with firmware version 2.2.0 or later. Replace the Authentication Key used to establish the current Session. It is not possible to modify any of the metadata connected to the Object such as Domains or Capabilities. Only the payload data of the Object (for example, the long-lived symmetric keys) will be modified. The same ``PBKDF2`` derivation scheme described in :ref:`hsm2-concepts-session-label` is available. This device must be sent over an authenticated session. Shell Example -------------- Change the current Authentication Key deriving it from the password ``newpassword``. .. code-block:: bash $ yubihsm> change authkey 0 1 newpassword Changed Authentication key 0x0001 Interactive Mode ----------------- .. code-block:: bash $ yubihsm> change authkey e:session, w:key_id, i:password=- Parameters ~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. The ObjectID of the authentication key used to open the current session and whose password will be changed. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **password** The new password for ``key_id``. The password is prompted for if not specified. Example ~~~~~~~~ Change the current Authentication Key deriving it from the password ``newpassword``. .. code-block:: bash $ yubihsm> change authkey 0 1 newpassword Changed Authentication key 0x0001 Command Line Mode ------------------ This command is not available in command line mode. Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x6c Lc = 2 + 1 + 16 + 16 Vc = I || A || Ke || Km Replace the currently used Authentication Key with a new set of keys. where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the Authentication Key (2 bytes) ``A`` = :ref:`hsm2-concepts-algorithms-label` (1 byte) ``Ke`` = Encryption Key (16 bytes) ``Km`` = Mac Key (16 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xec Lr = 2 Vr = I where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the changed Object (2 bytes) .. _hsm2-cmd-close-session-label: CLOSE SESSION Command ====================== Close the current :ref:`hsm2-concepts-session-label` and release it for re-use. This device must be sent over an authenticated session. Shell Example -------------- Close Session 0. .. code-block:: bash $ yubihsm> session close 0 Interactive Mode ----------------- .. code-block:: bash $ yubihsm> session close e:session Parameters ~~~~~~~~~~~ **session** Required. The ID of the session to close. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Close Session ``0``. .. code-block:: bash $ yubihsm> session close 0 Command Line Mode ------------------ This command does not need to be run separately on the command line. The session will automatically close after the command has been executed. Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x40 Lc = 0 Vc = Ø Response ~~~~~~~~~ .. code-block:: bash Tr = 0xc0 Lr = 0 Vr = Ø .. _hsm2-cmd-create-otp-aead-label: CREATE OTP AEAD Command ========================= Create a Yubico OTP AEAD using the provided data. This device must be sent over an authenticated session. Shell Example -------------- Create a new AEAD using Otp-aead Key ``0x027c`` with the key ``000102030405060708090a0b0c0d0e0f`` and private ID ``010203040506``. Store the result in the file ``aead``. .. code-block:: bash $ yubihsm> otp aead_create 0 0x027c 000102030405060708090a0b0c0d0e0f 010203040506 aead Interactive Mode ----------------- .. code-block:: bash $ yubihsm> otp aead_create e:session, w:key_id, i:key, i:private_id, F:aead Parameters ~~~~~~~~~~~ * **aead** Required. The file to store the Yubico OTP AEAD. Default input format: hex * **key** Required. The key used to create the Yubico OTP AEAD. * **key_id** Required. OTP AEAD key object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **private_id** Required. The private ID used to create the Yubico OTP AEAD. * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Create a new AEAD using Otp-aead Key ``0x027c`` with the key ``000102030405060708090a0b0c0d0e0f`` and private ID ``010203040506``. Store the result in the file ``aead``. .. code-block:: bash $ yubihsm> otp aead_create 0 0x027c 000102030405060708090a0b0c0d0e0f 010203040506 aead Command Line Mode ------------------ This command is not available in command line mode. Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x61 Lc = 24 Vc = I || K || P where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the OTP AEAD Key (2 bytes) ``K`` = OTP Key (16 bytes) ``P`` = OTP Private ID (6 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xe1 Lr = LA Vr = A where -- ``A`` = Nonce concatenated with AEAD (36 bytes) .. _hsm2-cmd-create-session-label: CREATE SESSION Command ======================= Begin the mutual authentication process for establishing a :ref:`hsm2-concepts-session-label`. Start negotiating a Session with the device. This command tells the device which Authentication Key to use and sends the host challenge part. The response contains the device challenge and device authentication part. To establish the session continue with :ref:`hsm2-cmd-authenticate-session-label`. Shell Example -------------- Create a new session with Authentication Key ``1`` using the password ``password``. This does both the session creation and authentication steps. .. code-block:: bash $ yubihsm> session open 1 password Created session 0 Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x03 Lc = 10 Vc = I || H where -- ``I`` = Key set ID (2 bytes) ``H`` = Host Challenge (8 bytes) The device generates a random Card Challenge C (8 bytes). The device derives three Session Keys (S-ENC, S-MAC and S-RMAC) starting from the set of two static keys identified by I (K-ENC and K-MAC) and the two challenges H and C, using the same procedure described in SCP03. The device uses S-MAC together with H and C to compute the Card Cryptogram A. The host will compute the Host Cryptogram B after having received C and derived S-MAC. On success the device generates a Session ID S (1 byte) and sets the message counter for the current Session to 1. Response ~~~~~~~~~ .. code-block:: bash Tr = 0x83 Lr = 17 Vr = S || C || A .. _hsm2-cmd-decrypt-cbc-label: DECRYPT CBC Command ===================== Available with firmware version 2.3.1 or later. Decrypt data in CBC mode. Interactive Mode ----------------- .. code-block:: bash $ yubihsm> decrypt aescbc e:session,w:key_id,s:iv,i:data=- Parameters ~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. Object ID of the symmetric key to decrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **iv** Required. Encryption initialization vector. 16 bytes in HEX format. * **data** Data to decrypt. When using stdin, the end of input is marked with CTRL-D. Possible Values: Data or “-” for stdin Default Value: stdin Input format: PEM Output format: HEX Example ~~~~~~~~ Decrypt data using key ``0x0064``: .. code-block:: bash $ yubihsm> decrypt aescbc 0 0x0064 00000000000000000000000000000000 SG0OU4CT2pH2dnd967KyTU5OgdJ8edxJjOf3Yt52gGQ= c5cffa1c2333fd824a86951cf602bca1 Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a decrypt-aescbc -i --iv [--in --out --authkey -p ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password will be prompted for if not specified. * **-i, --object-id=SHORT** Required. Object ID of the symmetric key to decrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **--iv=STRING** Required. Encryption initialization vector. 16 bytes in HEX format. * **--in=STRING** Data to decrypt. Multiple of 16 bytes. When using stdin, the end of input is marked with CTRL-D. Possible Values: data or stdin Default Value: stdin Input format: Binary * **--out=STRING** Decrypted data. Possible Valued: Path to file or stdout Default Value: stdout Output format: HEX Example ~~~~~~~~~ Decrypt data using key 0x0064: .. code-block:: bash $ yubihsm-shell -a decrypt-aescbc -i 0x0064 --iv 00000000000000000000000000000000 --in data.enc c5cffa1c2333fd824a86951cf602bca1 Protocol Details ----------------- Command ~~~~~~~~~ .. code-block:: bash Tc = 0x71 Lc = 2 + 16 + LE Vc = I || V || E Where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the symmetric key (2 bytes) ``V`` = Encryption initialization vector (IV) in HEX (16 bytes) ``E`` = Data to decrypt Response ~~~~~~~~~ .. code-block:: bash Tr = 0xf1 Lr = LD Vr = D Where -- ``D`` = Decrypted data .. _hsm2-cmd-decrypt-ecb-label: DECRYPT ECB Command ==================== Available with firmware version 2.3.1 or later. Decrypt data in ECB mode. Interactive Mode ----------------- .. code-block:: bash $ yubihsm> decrypt aesecb e:session,w:key_id,i:data=- Parameters ~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. Object ID of the symmetric key to decrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **data** Data to decrypt. When using stdin, the end of input is marked with CTRL-D. Possible Values: Data to sign or “-” for stdin Default Value: stdin Input format: PEM Output format: HEX Example ~~~~~~~~ Decrypt data using key ``0x0064``: .. code-block:: bash $ yubihsm> decrypt aesecb 0 0x0064 SG0OU4CT2pH2dnd967KyTQSIdJILAhWsmhdFIkHAZMQ= c5cffa1c2333fd824a86951cf602bca1 Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a decrypt-aesecb -i [--in --out --authkey -p ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password will be prompted for if not specified. * **-i, --object-id=SHORT** Required. Object ID of the symmetric key to decrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal * **--in=STRING** Data to decrypt. Multiple of 16 bytes. When using stdin, the end of input is marked with CTRL-D. Possible Values: data or stdin Default Value: stdin Input format: Binary * **--out=STRING** Decrypted dat. Possible Values: Path to file or stdout Default Value: stdout Output format: HEX Example ~~~~~~~~ Decrypt data using key ``0x0064``: .. code-block:: bash $ yubihsm-shell -a decrypt-aesecb -i 0x0064 --in data.enc c5cffa1c2333fd824a86951cf602bca1 Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x6f Lc = 2 + LE Vc = I || E Where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the symmetric key (2 bytes) ``D`` = Data to decrypt Response ~~~~~~~~~ .. code-block:: bash Tr = 0xef Lr = LD Vr = D Where -- ``D`` = Decrypted data .. _hsm2-cmd-decrypt-oaep-label: DECRYPT OAEP Command ===================== Decrypt data encrypted with RSA-OAEP. Example ----------------- Decrypt data stored in file ``enc`` using key ``0x79c3``: .. code-block:: bash yubihsm> decrypt oaep 0 0x79c3 rsa-oaep-sha1 enc xlwIc7yQf/KkV5v4Y87Q9ZSqLReoNAxlCmmMPA4W08U= Protocol Details ----------------- Command ~~~~~~~~~ .. code-block:: bash T~c~ = 0x59 L~c~ = 2 + 1 + L~D~ + L~H~ V~c~ = I \|\| M \|\| D \|\| H~l~ Where -- ``I`` = link:../Concepts/Object_ID.adoc[Object ID] of the Asymmetric Key (2 bytes) ``M`` = Hash link:../Concepts/Algorithms.adoc[Algorithm] to use for MGF1 (1 byte) ``D`` = Decryption data (256, 384 or 512 bytes) ``H~l~`` = Hash of OAEP Label (20, 32, 48 or 64 bytes) Response ~~~~~~~~~ .. code-block:: bash T~r~ = 0xc9 L~r~ = L~R~ V~r~ = R Where -- ``R`` = Decrypted data with OAEP padding removed .. _hsm2-cmd-decrypt-otp-label: DECRYPT OTP Command ==================== Decrypt a Yubico OTP and return counters and timer information. Shell Example -------------- Decrypt a (hex encoded) Yubico OTP using key ID ``0x027c``. .. code-block:: bash $ yubihsm> otp decrypt 0 0x027c 2f5d71a4915dec304aa13ccf97bb0dbb aead OTP decoded, useCtr:1, sessionCtr:1, tstph:1, tstpl:1 Interactive Mode ----------------- .. code-block:: bash $ yubihsm> otp decrypt e:session, w:key_id, s:otp, i:aead Parameters ~~~~~~~~~~~ * **aead** Required. Nonce concatenated with AEAD (36 bytes). Possible Values: Path to file containing the AEAD Default format: binary * **key_id** Required. OTP AEAD key Object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **otp** Required. OTP to decrypt. Possible Values: rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384, rsa-oaep-sha512 * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Decrypt a (hex encoded) Yubico OTP using key ID ``0x027c``. .. code-block:: bash $ yubihsm> otp decrypt 0 0x027c 2f5d71a4915dec304aa13ccf97bb0dbb aead OTP decoded, useCtr:1, sessionCtr:1, tstph:1, tstpl:1 Command Line Mode ------------------ This command is not available in command line mode. Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x60 Lc = 2 + 36 + 16 Vc = K || A || O where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the OTP AEAD Key (2 bytes) ``A`` = Nonce concatenated with AEAD (36 bytes) ``O`` = OTP (16 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xe0 Lr = 6 Vr = S || U || Th || Tl where -- ``S`` = Session counter (2 bytes) ``U`` = Usage counter (1 byte) ``Th`` = Timestamp high (1 byte) ``Tl`` = Timestamp low (2 bytes) .. _hsm2-cmd-decrypt-pkcs1-label: DECRYPT PKCS1 Command ====================== Decrypt data encrypted with RSA-PKCS#1v1.5. Shell Example -------------- Decrypt the file ``enc`` using key ``0xa930``. .. code-block:: bash $ yubihsm> decrypt pkcs1v1_5 0 0xa930 enc xlwIc7yQf/KkV5v4Y87Q9ZSqLReoNAxlCmmMPA4W08U= Interactive Mode ----------------- .. code-block:: bash $ yubihsm> decrypt pkcs1v1_5 e:session, w:key_id, i:data=- Parameters ~~~~~~~~~~~ * **data** Input data to decrypt. Possible Values: Path to file or '-' for stdin Default Value: stdin Default data format: binary * **key_id** Required. RSA key Object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Decrypt the file ``enc`` using key ``0xa930``. .. code-block:: bash $ yubihsm> decrypt pkcs1v1_5 0 0xa930 enc xlwIc7yQf/KkV5v4Y87Q9ZSqLReoNAxlCmmMPA4W08U= Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a decrypt-pkcs1v15 -i [ --authkey -p --in --out --informat --outformat ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-i, --object-id=SHORT** Required. Object ID or an RSA key. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **--in=STRING** Data to decrypt. Possible Values: Path to file or stdin Default Value: stdin Default data format: binary * **--informat=ENUM** Input data format. Possible Values: base64, binary, PEM, hex * **--out=STRING** Decrypted data. Possible Values: Path to file or stdout Default Value: stdout Default data format: binary * **--outformat=ENUM** Output data format. Possible Values: base64, binary, PEM, hex * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password is prompted for if not specified. Example ~~~~~~~~ Decrypt data stored in file ``enc`` using key ``0x79c3``. .. code-block:: bash $ yubihsm-shell -a decrypt-pkcs1v15 -i 0x79c3 --in enc xlwIc7yQf/KkV5v4Y87Q9ZSqLReoNAxlCmmMPA4W08U= Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x49 Lc = 2 + LD Vc = I || D where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the Asymmetric Key (2 bytes) ``D`` = Decryption data (256, 384 or 512 bytes) The data is padded using the PKCS#1v1.5 scheme with ``Block Type 2``. The data is decrypted and conformance to the padding scheme must be checked. Padding is then removed and the contained message is returned. Response ~~~~~~~~~ .. code-block:: bash Tr = 0xc9 Lr = LR Vr = R where -- ``R`` = Decrypted data with padding removed. .. _hsm2-cmd-delete-object-label: DELETE OBJECT Command ====================== Delete an Object in the device. Shell Example -------------- Delete Asymmetric Key ``0x52b6``. .. code-block:: bash $ yubihsm> delete 0 0x52b6 asymmetric-key Interactive Mode ----------------- .. code-block:: bash $ yubihsm> delete e:session, w:id, t:type Parameters ~~~~~~~~~~~ * **id** Required. Object ID of the object to delete. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **type** Required. Type of the object to delete. Possible Values: asymmetric-key, authentication-key, hmac-key, opaque, otp-aead-key, template, wrap-key Example ~~~~~~~~ Delete Asymmetric Key ``0x52b6``. .. code-block:: bash $ yubihsm> delete 0 0x52b6 asymmetric-key Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a delete-object -i -t [ --authkey -p ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-i, --object-id=SHORT** Required. Object ID of the object to delete. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password is prompted for if not specified. * **-t, --object-type=STRING** Required. Type of the object to delete. Posssible Values: asymmetric-key, authentication-key, hmac-key, opaque, otp-aead-key, template, wrap-key Example ~~~~~~~~ Delete Asymmetric Key ``0x52b6``. .. code-block:: bash $ yubihsm-shell -a delete-object -i 0x52b6 -t asymmetric-key Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x58 Lc = 2 + 1 Vc = I || T where -- ``I`` = :ref:`hsm2-concepts-objectid-label` (2 bytes) ``T`` = Type, :ref:`hsm2-concepts-objects-label` (1 byte) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xd8 Lr = 0 Vr = Ø .. _hsm2-cmd-derive-ecdh-label: DERIVE ECDH Command ===================== Perform an ECDH key exchange with the private key in the device. Shell Example -------------- Perform an ECDH operation with key ``0x52b6`` and a public key in the file ``pubkey.pem``. .. code-block:: bash $ yubihsm> derive ecdh 0 0x52b6 pubkey.pem 5898516bcb0cb3db89d53471137c2d1c741b8ba6ebf2bb01f4a62d97342e97b2 Interactive Mode ----------------- .. code-block:: bash $ yubihsm> derive ecdh e:session, w:key_id, i:pubkey=- Parameters ~~~~~~~~~~~ * **key_id** Required. Object ID of an EC key. Object ID is a 2 bytes integer. Can be specified in hex or decimal * **pubkey** The public key of another EC key. Possible Values: Path to file or '-' for stdin Default Value: stdin Default data format: PEM * **session** Required. The ID of the authenticated session to send the command over. Possbile Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Perform an ECDH operation with key ``0x52b6`` and a public key in the file ``pubkey.pem``. .. code-block:: bash $ yubihsm> derive ecdh 0 0x52b6 pubkey.pem 5898516bcb0cb3db89d53471137c2d1c741b8ba6ebf2bb01f4a62d97342e97b2 Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a derive-ecdh -i [ --authkey -p --in --out --informat --outformat ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-i, --object-id=SHORT** Required. EC key Object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **--in=STRING** The public key of another EC key. Possible Values: Path to file or stdin Default Value: stdin Default Data Format: PEM * **--informat=ENUM** Format of public key. Possible Values: base64, binary, PEM, hex Default Value: PEM * **--out=STRING** ECDH key. Possible Values: Path to file or stdout Default Value: stdout Default Data Format: PEM * **--outformat=ENUM** Format of ECDH key. Possible Values: base64, binary, PEM, hex Default Value: PEM * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password is prompted for if not specified. Example ~~~~~~~~ Perform an ECDH operation with key ``0x52b6`` and a public key in the file ``pubkey.pem``. .. code-block:: bash $ yubihsm-shell -a derive-ecdh -i 0x52b6 --in pubkey.pem 5898516bcb0cb3db89d53471137c2d1c741b8ba6ebf2bb01f4a62d97342e97b2 Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x57 Lc = 2 + LD Vc = K || D where -- ``I`` = Object ID of the Asymmetric Key (2 bytes) ``D`` = Uncompressed public key to perform the exchange with (57, 65, 97, 129 or 133 bytes) Response ~~~~~~~~~ .. code-block:: bash Tc = 0xd7 Lc = LX Vc = X where -- ``X`` = X coordinate of the completed key exchange .. _hsm2-cmd-device-info-label: DEVICE INFO Command ====================== Gets device version, device serial, supported :ref:`hsm2-concepts-algorithms-label` and available log entries. Shell Example -------------- Fetch device info for currently connected device. .. code-block:: bash $ yubihsm> get deviceinfo Version number: 2.0.0 Serial number: 2000000 Log used: 2/62 Supported algorithms: rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384, rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256, rsa-pss-sha384, rsa-pss-sha512, rsa2048, rsa3072, rsa4096, ecp256, ecp384, ecp521, eck256, ecbp256, ecbp384, ecbp512, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, ecdsa-sha1, ecdh, rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384, rsa-oaep-sha512, aes128-ccm-wrap, opaque-data, opaque-x509-certificate, mgf1-sha1, mgf1-sha256, mgf1-sha384, mgf1-sha512, template-ssh, aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp, aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap, ecdsa-sha256, ecdsa-sha384, ecdsa-sha512, ed25519, ecp224, Interactive Mode ----------------- .. code-block:: bash $ yubihsm> get deviceinfo Example ~~~~~~~~ Fetch device info for currently connected device. .. code-block:: bash $ yubihsm> get deviceinfo Version number: 2.0.0 Serial number: 2000000 Log used: 2/62 Supported algorithms: rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384, rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256, rsa-pss-sha384, rsa-pss-sha512, rsa2048, rsa3072, rsa4096, ecp256, ecp384, ecp521, eck256, ecbp256, ecbp384, ecbp512, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, ecdsa-sha1, ecdh, rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384, rsa-oaep-sha512, aes128-ccm-wrap, opaque-data, opaque-x509-certificate, mgf1-sha1, mgf1-sha256, mgf1-sha384, mgf1-sha512, template-ssh, aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp, aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap, ecdsa-sha256, ecdsa-sha384, ecdsa-sha512, ed25519, ecp224 Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a get-device-info Example ~~~~~~~~ Fetch device info for currently connected device. .. code-block:: bash $ yubihsm-shell -a get-device-info Version number: 2.0.0 Serial number: 2000000 Log used: 2/62 Supported algorithms: rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384, rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256, rsa-pss-sha384, rsa-pss-sha512, rsa2048, rsa3072, rsa4096, ecp256, ecp384, ecp521, eck256, ecbp256, ecbp384, ecbp512, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512, ecdsa-sha1, ecdh, rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384, rsa-oaep-sha512, aes128-ccm-wrap, opaque-data, opaque-x509-certificate, mgf1-sha1, mgf1-sha256, mgf1-sha384, mgf1-sha512, template-ssh, aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp, aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap, ecdsa-sha256, ecdsa-sha384, ecdsa-sha512, ed25519, ecp224 Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x06 Lc = 0 Vc = Ø Response ~~~~~~~~~ .. code-block:: bash Tr = 0x86 Lr = 9 + algorithms Vr = VMajor || VMinor || VBuild || S || Ltotal || Lused || A where -- ``VMajor`` = Major version number (1 byte) ``VMinor`` = Minor version number (1 byte) ``VBuild`` = Build version number (1 byte) ``S`` = Serial number (4 bytes) ``Ltotal`` = Log Store size expressed in number of log entries (1 byte) ``Lused`` = Log lines used (1 byte) ``A`` = List of supported :ref:`hsm2-concepts-algorithms-label` .. _hsm2-cmd-echo-label: ECHO Command ================ Return the byte sequence present within the data field, without any modification. Can be sent over an encrypted Session or as a bare command. Shell Example -------------- Plain echo ~~~~~~~~~~~~ .. code-block:: bash $ yubihsm> plain echo 0x3c 10 Response (10 bytes): 3c3c3c3c3c3c3c3c 3c3c Echo over session 0 ~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash $ yubihsm> echo 0 0x3c 10 Response (10 bytes): 3c3c3c3c3c3c3c3c 3c3c Interactive Mode ----------------- Over Encrypted Session ~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash $ yubihsm> echo e:session, b:byte, w:count Bare Command ~~~~~~~~~~~~~ .. code-block:: bash $ yubihsm> plain echo b:byte, w:count Parameters ~~~~~~~~~~~ * **byte** Required. The byte to be echoed. * **count** Required. How many times the byte will be echoed. * **session** The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 Example ~~~~~~~~ Echo over session 0 ~~~~~~~~~~~~~~~~~~~~~ .. code-block:: bash $ yubihsm> echo 0 0x3c 10 Response (10 bytes): 33c3c3c3c3c3c3c3c 3c3c Plain echo ~~~~~~~~~~~~ .. code-block:: bash $ yubihsm> plain echo 0x3c 10 Response (10 bytes): 3c3c3c3c3c3c3c3c 3c3c Command Line Mode ------------------ This command is not available in the command line mode. Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x01 Lc = LE Vc = E where -- ``E`` = Data to echo (1-2021 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0x81 Lr = LE Vr = E where -- ``E`` = Data to echo (1-2021 bytes) .. _hsm2-cmd-excrypt-cbc-label: ENCRYPT CBC Command ==================== Available with firmware version 2.3.1 or later. Encrypt data in CBC mode. Interactive Mode ----------------- .. code-block:: bash $ yubihsm> encrypt aescbc e:session,w:key_id,s:iv,i:data=- Parameters ~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. Object ID of the symmetric key to encrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **iv** Required. Encryption initialization vector. 16 bytes in HEX format. * **data** Data to encrypt. Multiple of 16 bytes. When using stdin, the end of input is marked with CTRL-D. Possible Values: Data or “-” for stdin Default Value: stdin Input format: HEX Output format: PEM Example ~~~~~~~~~ Encrypt data using key 0x008c: .. code-block:: bash $ yubihsm> encrypt aescbc 0 0x008c 00000000000000000000000000000000 c5cffa1c2333fd824a86951cf602bca1 SG0OU4CT2pH2dnd967KyTU5OgdJ8edxJjOf3Yt52gGQ= Command Line Mode ------------------- .. code-block:: bash $ yubihsm-shell -a encrypt-aescbc -i --iv [--in --out --authkey -p ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password will be prompted for if not specified. * **-i, --object-id=SHORT** Required. Object ID of the symmetric key to encrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **--iv=STRING** Required. Encryption initialization vector. 16 bytes in HEX format * **--in=STRING** Data to encrypt. Multiple of 16 bytes. When using stdin, the end of input is marked with CTRL-D. Possible Values: data or stdin Default Value: stdin Input format: HEX * **--out=STRING** Encrypted data. Possible Values: Path to file or stdout Default Value: stdout Output format: Binary Example ~~~~~~~~ Encrypt data using key ``0x008c``: .. code-block:: bash $ yubihsm-shell -a encrypt-aescbc -i 0x008c --in c5cffa1c2333fd824a86951cf602bca1 --out data.enc Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x72 Lc = 2 + 16 + LD Vc = I || IV || D Where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the Asymmetric Key (2 bytes) ``IV`` = Encryption initialization vector (IV) in HEX (16 bytes) ``D`` = Data to encrypt (multiple of 16 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xf2 Lr = LE Vr = E Where -- ``E`` = Encrypted data .. _hsm2-cmd-excrypt-ecb-label: ENCRYPT ECB Command ==================== Available with firmware version 2.3.1 or later. Encrypt data in ECB mode. Interactive Mode ----------------- .. code-block:: bash $ yubihsm> encrypt aesecb e:session,w:key_id,i:data=- Parameters ~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. Object ID of the symmetric key to encrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **data** Data to encrypt. Multiple of 16 bytes. When using stdin, the end of input is marked with CTRL-D. Possible Values: Data to sign or “-” for stdin Default Value: stdin Input format: HEX Output format: PEM Example ~~~~~~~~ Encrypt data using key ``0x0064``: .. code-block:: bash $ yubihsm> encrypt aesecb 0 0x0064 c5cffa1c2333fd824a86951cf602bca1 SG0OU4CT2pH2dnd967KyTQSIdJILAhWsmhdFIkHAZMQ= Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a encrypt-aesecb -i [--in --out --authkey -p ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password will be prompted for if not specified. * **-i, --object-id=SHORT** Required. Object ID of the symmetric key to encrypt with. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **--in=STRING** Data to encrypt. Multiple of 16 bytes. When using stdin, the end of input is marked with CTRL-D. Possible Values: data or stdin Default Value: stdin Input format: HEX * **--out=STRING** Encrypted data. Possible Value: Path to file or stdout Default Value: stdout Output format: Binary Example ~~~~~~~~~ Encrypt data using key ``0x0064``: .. code-block:: bash $ yubihsm-shell -a encrypt-aesecb -i 0x0064 --in c5cffa1c2333fd824a86951cf602bca1 --out data.enc Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x70 Lc = 2 + LD Vc = I || D Where -- ``I`` = :ref:`hsm2-concepts-objectid-label` of the symmetric Key (2 bytes) ``D`` = Data to encrypt (multiple of 16 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xf0 Lr = LE Vr = E Where -- ``E`` = Encrypted data .. _hsm2-cmd-export-wrapped-label: EXPORT WRAPPED Command ======================== Retrieves an Object under wrap from the device. The Object is encrypted using AES-CCM with a ``16`` bytes MAC and a ``13`` bytes nonce. Shell Example -------------- Fetch the Asymmetric Key ``0x997e`` encrypted with Wrap Key ``0xcf94`` and store the result in the file ``key.enc``. .. code-block:: bash $ yubihsm> get wrapped 0 0xcf94 asymmetric-key 0x997e key.enc Interactive Mode ----------------- .. code-block:: bash $ yubihsm> get wrapped e:session, w:wrapkey_id, t:type, w:id, F:file=- Parameters ~~~~~~~~~~~ * **file** Encrypted/wrapped object. Possible Values: Path to file or '-' for stdin Default Value: stdin * **id** Required. Object ID of the object to be wrapped. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **type** Required. Type of the object to be wrapped. Possible Values: asymmetric-key, authentication-key, hmac-key, opaque, otp-aead-key, template, wrap-key * **wrapkey_id** Required. Wrap key Object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal Example ~~~~~~~~ Fetch the Asymmetric Key ``0x997e`` encrypted with Wrap Key ``0xcf94`` and store the result in the file ``key.enc``. .. code-block:: bash $ yubihsm> get wrapped 0 0xcf94 asymmetric-key 0x997e key.enc Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a get-wrapped --wrap-id -t -i [ --authkey -p --out ] Parameters ~~~~~~~~~~~ * **--authkey=INT** The ObjectID of the authentication key used to open a session. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Default Value: 1 * **-i, --object-id=SHORT** Required. Object ID of the object to be wrapped. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **--out=STRING** Encrypted/wrapped object. Possible Values: Path to file or stdout Default Value: stdout * **-p, --password=STRING** Required. The password to authentication key used to open a session. The password is prompted for if not specified * **-t, --object-type=STRING** Required. Type of the object to be wrapped. Possible Values: symmetric-key, authentication-key, hmac-key, opaque, otp-aead-key, template, wrap-key * **--wrap-id=INT** Required. Wrap key Object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. Example ~~~~~~~~ Fetch the Asymmetric Key ``0x997e`` encrypted with Wrap Key ``0xcf94`` and store the result in the file ``key.enc``. .. code-block:: bash $ yubihsm-shell -a get-wrapped --wrap-id 0xcf94 -t symmetric-key -i 0x997e --out key.enc Protocol Details ----------------- Command ~~~~~~~~ .. code-block:: bash Tc = 0x4a Lc = 2 + 1 + 2 Vc = Iw || T || Io where -- ``Iw`` = :ref:`hsm2-concepts-objectid-label` of Wrap Key to use (2 bytes) ``T`` = Type, :ref:`hsm2-concepts-objects-label` of Object to wrap (1 byte) ``Io`` = :ref:`hsm2-concepts-objectid-label` of Object to wrap (2 bytes) Response ~~~~~~~~~ .. code-block:: bash Tr = 0xca Lr = 13 + LR Vr = N || R where -- ``N`` = Nonce used for this wrap (13 bytes) ``R`` = Wrapped data (Length dependent on object) .. _hsm2-cmd-gen-aysmmetric-key-label: GENERATE ASYMMETRIC KEY Command ================================= Generate an Asymmetric Key in the device. Shell Example -------------- Generate a new key using ``secp256r1`` in the device. .. code-block:: bash $ yubihsm> generate asymmetric 0 0 eckey 1 sign-ecdsa ecp256 Generated Asymmetric key 0x2846 Interactive Mode ----------------- .. code-block:: bash $ yubihsm> generate asymmetric e:session, w:key_id, s:label, d:domains, c:capabilities, a:algorithm Parameters ~~~~~~~~~~~ * **session** Required. The ID of the authenticated session to send the command over. Possible Values: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 * **key_id** Required. Object ID. Use ``0`` to generate Object ID. Object ID is a 2 bytes integer. Can be specified in hex or decimal. * **label** Required. Key label. Can be empty. Possible Value: Maximum of 40 characters string. * **domains** Required. Domains where the key will be accessible. Use ``all`` to indicate all domains. Multiple domains can be separated by comma ``,`` or colon ``:`` with no spaces between. Possible Values: all,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 * **capabilities** Required. Capabilities of the key. Use ``none`` to include no capability. Multiple capabilities can be separated by comma ``,`` or colon ``:`` with no spaces between. Possible Values: none, sign-pkcs, sign-pss, sign-ecdsa, sign-eddsa, decrypt-pkcs, decrypt-oaep, derive-ecdh, exportable-under-wrap, sign-ssh-certificate, sign-attestation-certificate * **algorithm** Required. Key algorithm. Possible Values: rsa2048, rsa3072, rsa4096, ecp256, ecp384, ecp521, eck256, ecbp256, ecbp384, ecbp512, ed25519, ecp224 Example ~~~~~~~~ Generate a new key using ``secp256r1`` in the device. .. code-block:: bash $ yubihsm> generate asymmetric 0 0 eckey 1 sign-ecdsa ecp256 Generated Asymmetric key 0x2846 Command Line Mode ------------------ .. code-block:: bash $ yubihsm-shell -a generate-asymmetric-key -i -l