Set Algorithm Toggle Option
Note
This option is only available with firmware version 2.2 and higher
The algorithm toggle option is used to enable and disable algorithms. On non-FIPS YubiHSMs, all algorithms are enabled
by default but can be disabled individually by setting the algorithm-toggle option.
The syntax for algorithm-toggle value is C1 V1, C2 V2, ..., Cn Vn where Ci is the Algorithm value and Vi
is the option value expressed in HEX. The algorithm values can be found in Algorithms
The option value can be one of three alternatives:
0x00: Algorithm disabled
0x01: Algorithm enabled
0x02: Algorithm permanently enabled (only possible to turn off through factory reset)
Retrieve Option Status
To check the value of the algorithm-toggle option, use the Get Option command as follows:
$ yubihsm-shell -a get-option --opt-name algorithm-toggle
Using default connector URL: http://localhost:12345
Session keepalive set up to run every 15 seconds
Created session 0
Option value is: 0101020103010401050106010701080109010a010b010c010d010e010f0110011101120113011401150116011701180119011a011b011c011d011e011f0120012101220123012401250126012701280129012a012b012c012d012e012f0130013101320133013401350136013701
Taking the first four characters of the output 0101, it means that algorithm 0x01 (rsa-pkcs1-sha1) is
enabled. The next four characters 0201 means that algorithm 0x02 (rsa-pkcs1-sha256) is enabled. And so on.
Set Option Status
When setting the algorithm-toggle option, only the effected algorithms need to be specified. For example, to disable
the algorithm rsa2048 (0x09), aes256-ccm-wrap (0x2a) and aes192-yubico-otp (0x27), the command
would be:
$ yubihsm-shell -a put-option --opt-name algorithm-toggle --opt-value 09002a002700
Retrieving the option value again would give the output:
01010201030104010501060107010801|0900|0a010b010c010d010e010f0110011101120113011401150116011701180119011a011b011c011d01 1e011f012001210122012301240125012601|2700|28012901|2a00|2b012c012d012e012f0130013101320133013401350136013701
Note the parts in bold text, indicating that the algorithms rsa2048, aes256-ccm-wrap and aes192-yubico-otp
are now disabled.