Security Domain (SD) Commands
The Security Domain (SD) command described here is a hidden command, it is listed when you run the command, ykman --full-help.
ykman sd [OPTIONS] COMMAND [ARGS]
Manage the Security Domain (SD) application, which holds keys for Secure Copy Protocol (SCP).
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
Commands
| Commmand | Description |
|---|---|
info |
List keys in the Security Domain of the YubiKey. |
keys |
Manage SCP keys. |
reset |
Reset all Security Domain data. |
ykman sd info [OPTIONS]
List keys in the Security Domain of the YubiKey.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
ykman sd keys [OPTIONS] COMMAND [ARGS]
Manage SCP keys.
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
Commands
| Commmand | Description |
|---|---|
delete |
Delete a key or keyset. |
export |
Export certificate chain for a key. |
generate |
Generate an asymmetric key pair. |
import |
Import a key or certificate. |
set-allowlist |
Set an allowlist of certificate serial numbers for a key. |
ykman sd keys delete [OPTIONS] KID KVN
Deletes the key or keyset with the given Key ID (KID) and Key Version Number (KVN). Set either KID or KVN to 0 to use it as a wildcard and delete all keys matching the specific KID or KVN.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the key to delete. |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
| `` -f, –force`` | Confirm the action without prompting. |
ykman sd keys export [OPTIONS] KID KVN OUTPUT
Export certificate chain for a key.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the certificate chain
to output.
|
OUTPUT |
File to write the certificate chain to,
Use ‘-’ to use stdout.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
ykman sd keys generate [OPTIONS] KID KVN PUBLIC-KEY
Generate an asymmetric key pair. The private key is generated on the YubiKey, and written to one of the slots.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the new key.
|
PUBLIC-KEY |
File containing the generated public key
Use ‘-’ to use stdout.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-r, --replace-kvn INTEGER |
Replace an existing key of the same type,
the same KID.
|
ykman sd keys import [OPTIONS] KID KVN INPUT
Import a key or certificate.
KID 0x01 expects the input to be a “:”-separated triple of K-ENC:K-MAC:K-DEK.
KID 0x11, 0x13, 0x15 expect the input to be a file containing a private key and (optionally) a certificate chain.
KID 0x10, 0x20-0x2F expect the file to contain a CA-KLOC certificate.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the new key. |
INPUT |
SCP03 keyset, or input file.
Use ‘-’ to use stdout.
|
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |
-p, --password TEXT |
Password used to decrypt the file,
if needed.
|
-r, --replace-kvn INTEGER |
Replace an existing key of the same type,
the same KID.
|
ykman sd keys set-allowlist [OPTIONS] KID KVN [SERIALS]
Set an allowlist of certificate serial numbers for a key.
Each certificate in the chain used when authenticating an SCP11a/c session is checked and rejected if their serial number is not in this allowlist.
Arguments
| Argument | Description |
|---|---|
KID KVN |
Key reference for the allowlist to set. |
SERIALS |
Serial numbers of certificates to allow. Separate serial numbers using a space. |
Options
| Option | Description |
|---|---|
-h, --help |
Show this message and exit. |