Set Algorithm Toggle Option
Note
This option is only available with firmware version 2.2 and higher
The algorithm toggle option is used to enable and disable algorithms. On non-FIPS YubiHSMs, all algorithms are enabled
by default but can be disabled individually by setting the algorithm-toggle option.
The syntax for algorithm-toggle value is C1 V1, C2 V2, ..., Cn Vn where Ci is the Algorithm value and Vi
is the option value expressed in HEX. The algorithm values can be found in Algorithms
The option value can be one of three alternatives:
0x00: Algorithm disabled
0x01: Algorithm enabled
0x02: Algorithm permanently enabled (only possible to turn off through factory reset)
Retrieve Option Status
To check the value of the algorithm-toggle option, use the Get Option command as follows:
$ yubihsm-shell -a get-option --opt-name algorithm-toggle
Using default connector URL: http://localhost:12345
Session keepalive set up to run every 15 seconds
Created session 0
Option value is: 0101020103010401050106010701080109010a010b010c010d010e010f01100111011201130
11401150116011701180119011a011b011c011d011e011f0120012101220123012401250126
012701280129012a012b012c012d012e012f0130013101320133013401350136013701
Taking the first four characters of the output 0101, it means that algorithm 0x01 (rsa-pkcs1-sha1) is
enabled. The next four characters 0201 means that algorithm 0x02 (rsa-pkcs1-sha256) is enabled. And so on.
Set Option Status
When setting the algorithm-toggle option, only the effected algorithms need to be specified. For example, to disable
the algorithm rsa2048 (0x09), aes256-ccm-wrap (0x2a) and aes192-yubico-otp (0x27), the command
would be:
$ yubihsm-shell -a put-option --opt-name algorithm-toggle --opt-value 09002a002700
Retrieving the option value again would give the output:
0101020103010401050106010701080109000a010b010c010d010e010f01100111011201130 11401150116011701180119011a011b011c011d011e011f0120012101220123012401250126 012700280129012a002b012c012d012e012f0130013101320133013401350136013701
Note the parts in bold text, indicating that the algorithms rsa2048, aes256-ccm-wrap and aes192-yubico-otp
are now disabled.