YubiHSM 2 Shell
The yubihsm-shell tool is the administrative and testing tool you can use to interact with and configure the YubiHSM 2 device. All the commands supported by YubiHSM 2 YubiHSM Command Reference can be issued to YubiHSM 2 using YubiHSM 2 Shell.
The Shell can be invoked in two different ways: interactively, or as a command line tool useful for scripting.
Additional information on the various commands can be obtained with the help command in interactive mode or by referring to the --help argument for the command line mode.
Examples of commands can also be found in the YubiHSM Command Reference reference.
YubiHSM Shell Command Syntax
Commands and subcommands require specific arguments to work. The Shell will return an error message if the command syntax is incorrect, pointing at the first invalid argument.
Arguments have different types. In interactive mode pre-defined values for command types can be tab-completed (Tab Completion does not work on Windows). Command arguments are explained in the table below.
| Arg | Type | Description |
|---|---|---|
| A | Algorithm | An algorithm in string form (ex: ecp256) |
| B | Byte | A generic (hex or dec) 8-bit unsigned number |
| C | Capabilities | A list of Capabilities in either form:
hex (ex: 0xffffffffffffffff) or
string (ex: sign-pkcs,sign-pss, get-log-entries)
|
| D | Domains | A list of Domains, either in hex (ex: 0xffff) or
string form (ex: 3,5,14)
|
| I | Format | A format specifier in string form (ex: base64) |
| I | Input data | Input data, generally defaults to standard input |
| U | Number | A generic (hex or dec) unsigned number |
| O | Option | A device-global option in string form
(ex: force-audit)
|
| F | Output filename | Output file name, generally defaults to standard
output
|
| E | Session | The ID of an already-established Session |
| S | String | A generic string (use quotes for strings
including white spaces)
|
| T | Type | An Object Type in string form (ex: Asymmetric) |
| W | Word | A generic (hex or dec) 16-bit unsigned number |
Different commands have different default formats. These can be listed by invoking help on a specific command. For example, the help sign will display the following message:
pss Sign data using RSASSA-PSS (default input format: binary)
e:session,w:key_id,a:algorithm,i:data=-,F:out=-
As can be seen, the input format is binary. Additionally, arguments to a command that have =- after their type and name (like i:data and F:out in the example above), use the standard input or standard output by default for reading data.
Different levels of debug output can be enabled by using the -v flag in command line mode, or by issuing the debug LEVEL command in interactive mode, where LEVEL is one of all, crypto, error, info, intermediate, none, or raw.
See YubiHSM Command Reference for yubihsm-shell commands interactive and command line mode examples.