.. hsm2-option-algorithm-guide.rst .. _hsm2-option-algorithm-guide-label: ============================ Set Algorithm Toggle Option ============================ .. Note:: This option is only available with firmware version 2.2 and higher The algorithm toggle option is used to enable and disable algorithms. On non-FIPS YubiHSMs, all algorithms are enabled by default but can be disabled individually by setting the ``algorithm-toggle`` option. The syntax for ``algorithm-toggle`` value is ``C1 V1, C2 V2, ..., Cn Vn`` where ``Ci`` is the Algorithm value and ``Vi`` is the option value expressed in HEX. The algorithm values can be found in :ref:`hsm2-concepts-algorithms-label` The option value can be one of three alternatives: 0x00: Algorithm disabled 0x01: Algorithm enabled 0x02: Algorithm permanently enabled (only possible to turn off through factory reset) Retrieve Option Status ======================= To check the value of the ``algorithm-toggle`` option, use the ``Get Option`` command as follows: .. code-block:: bash $ yubihsm-shell -a get-option --opt-name algorithm-toggle Using default connector URL: http://localhost:12345 Session keepalive set up to run every 15 seconds Created session 0 Option value is: 0101020103010401050106010701080109010a010b010c010d010e010f0110011101120113011401150116011701180119011a011b011c011d011e011f0120012101220123012401250126012701280129012a012b012c012d012e012f0130013101320133013401350136013701 Taking the first four characters of the output ``0101``, it means that algorithm ``0x01`` (``rsa-pkcs1-sha1``) is enabled. The next four characters ``0201`` means that algorithm ``0x02`` (``rsa-pkcs1-sha256``) is enabled. And so on. Set Option Status ======================= When setting the ``algorithm-toggle`` option, only the effected algorithms need to be specified. For example, to disable the algorithm ``rsa2048`` (``0x09``), ``aes256-ccm-wrap`` (``0x2a``) and ``aes192-yubico-otp`` (``0x27``), the command would be: .. code-block:: bash $ yubihsm-shell -a put-option --opt-name algorithm-toggle --opt-value 09002a002700 Retrieving the option value again would give the output: 01010201030104010501060107010801\ |0900|\ 0a010b010c010d010e010f0110011101120113011401150116011701180119011a011b011c011d01 1e011f012001210122012301240125012601\ |2700|\ 28012901\ |2a00|\ 2b012c012d012e012f0130013101320133013401350136013701 Note the parts in bold text, indicating that the algorithms ``rsa2048``, ``aes256-ccm-wrap`` and ``aes192-yubico-otp`` are now disabled.