.. OpenPGP_Commands.rst .. _openpgp-commands-label: ================ OpenPGP Commands ================ Acronyms and their definitions are listed at the bottom of the :ref:`base-commands-label` page. ykman openpgp [OPTIONS] COMMAND [ARGS]... ========================================= Manage OpenPGP Application. Examples -------- **Set the retries** for PIN, Reset Code and Admin PIN to 10: .. code-block:: $ ykman openpgp access set-retries 10 10 10 **Require touch** to use the authentication key: .. code-block:: $ ykman openpgp keys set-touch aut on Options ------- .. table:: +----------------+----------------------------------------------------------+ | Option | Description | +================+==========================================================+ | ``-h, --help`` | Show this message and exit. | +----------------+----------------------------------------------------------+ Commands -------- .. table:: +------------------+--------------------------------------------------------+ | Command | Description | +==================+========================================================+ | ``access`` | Manage PIN, Reset Code, and Admin PIN. | +------------------+--------------------------------------------------------+ | ``certificates`` | Manage certificates. | +------------------+--------------------------------------------------------+ | ``info`` | Display general status of the OpenPGP application. | +------------------+--------------------------------------------------------+ | ``keys`` | Manage private keys. | +------------------+--------------------------------------------------------+ | ``reset`` | Reset all OpenPGP data. | +------------------+--------------------------------------------------------+ ykman openpgp access [OPTIONS] COMMAND [ARGS]... ================================================= Manage PIN, Reset Code and Admin PIN. Options -------- .. table:: +------------------+--------------------------------------------------------+ | Option | Description | +==================+========================================================+ | ``-h, --help`` | Show this message and exit. | +------------------+--------------------------------------------------------+ Commands --------- .. table:: +------------------+--------------------------------------------------------+ | Command | Description | +==================+========================================================+ | ``set-retries`` | Set PIN, Reset Code and Admin PIN retries. | +------------------+--------------------------------------------------------+ ykman openpgp access set-retries [OPTIONS] PIN-RETRIES RESET-CODE-RETRIES ADMIN-PIN-RETRIES =========================================================================================== Set PIN, Reset Code and Admin PIN retries. Arguments ---------- .. table:: +------------------------+--------------------------------------------------+ | Argument | Description | +========================+==================================================+ | ``PIN-RETRIES`` | Set number of retries for PIN attempts. | +------------------------+--------------------------------------------------+ | ``RESET-CODE-RETRIES`` | Set number of retries for RESET CODE attempts. | +------------------------+--------------------------------------------------+ | ``ADMIN-PIN-RETRIES`` | Set number of retries for ADMIN PIN attempts. | +------------------------+--------------------------------------------------+ Options -------- .. table:: +---------------------------+-----------------------------------------------+ | Option | Description | +===========================+===============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------+-----------------------------------------------+ | ``-a, --admin-pin TEXT`` | Admin PIN for OpenPGP. | +---------------------------+-----------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +---------------------------+-----------------------------------------------+ ykman openpgp certificates [OPTIONS] COMMAND [ARGS]... ======================================================= Manage certificates. Options ------- .. table:: +---------------------------+-----------------------------------------------+ | Option | Description | +===========================+===============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------+-----------------------------------------------+ Commands --------- .. table:: +---------------------------+-----------------------------------------------+ | Command | Description | +===========================+===============================================+ | ``delete`` | Delete an OpenPGP certificate. | +---------------------------+-----------------------------------------------+ | ``export`` | Export an OpenPGP certificate. | +---------------------------+-----------------------------------------------+ | ``import`` | Import an OpenPGP certificate. | +---------------------------+-----------------------------------------------+ ykman openpgp certificates delete [OPTIONS] KEY =============================================== Delete an OpenPGP certificate. Arguments --------- .. table:: +---------------+-----------------------------------------------------------+ | Argument | Description | +===============+===========================================================+ | ``KEY`` || Key slot to delete certificate from ``sig``, ``enc``, | | || ``aut``, or ``att`` | +---------------+-----------------------------------------------------------+ Options ------- .. table:: +---------------------------+-----------------------------------------------+ | Option | Description | +===========================+===============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------+-----------------------------------------------+ | ``-a, --admin-pin TEXT`` | Admin PIN for OpenPGP. | +---------------------------+-----------------------------------------------+ ykman openpgp certificates export [OPTIONS] KEY CERTIFICATE =========================================================== Export an OpenPGP certificate. Arguments --------- .. table:: +------------------+--------------------------------------------------------+ | Argument | Description | +==================+========================================================+ | ``CERTIFICATE`` || File to write certificate to. Use ``'-'`` to use | | || ``stdout``. | +------------------+--------------------------------------------------------+ | ``KEY`` || Key slot to read from (``sig``, ``enc``, ``aut``, | | || or ``att``). | +------------------+--------------------------------------------------------+ Options ------- .. table:: +-----------------------------+---------------------------------------------+ | Option | Description | +=============================+=============================================+ | ``-h, --help`` | Show this message and exit. | +-----------------------------+---------------------------------------------+ | ``-F, --format [PEM|DER]`` | Encoding format. [Default: ``PEM``] | +-----------------------------+---------------------------------------------+ ykman openpgp certificates import [OPTIONS] KEY CERTIFICATE =========================================================== Import an OpenPGP certificate. Arguments --------- .. table:: +------------------+--------------------------------------------------------+ | Argument | Description | +==================+========================================================+ | ``CERTIFICATE`` || File containing the certificate. Use ``'-'`` to | | || use ``stdin``. | +------------------+--------------------------------------------------------+ | ``KEY`` || Key slot to import certificate to (``sig``, ``enc``, | | || ``aut``, or ``att``). | +------------------+--------------------------------------------------------+ Options ------- .. table:: +-----------------------------+---------------------------------------------+ | Option | Description | +=============================+=============================================+ | ``-h, --help`` | Show this message and exit. | +-----------------------------+---------------------------------------------+ | ``-a, --admin-pin TEXT`` | Admin PIN for OpenPGP. | +-----------------------------+---------------------------------------------+ ykman openpgp keys [OPTIONS] COMMAND [ARGS]... ============================================== Manage private keys. Options -------- .. table:: +-----------------------------+---------------------------------------------+ | Option | Description | +=============================+=============================================+ | ``-h, --help`` | Show this message and exit. | +-----------------------------+---------------------------------------------+ Commands --------- .. table:: +------------------+--------------------------------------------------------+ | Command | Description | +==================+========================================================+ | ``attest`` | Generate an attestation certificate for a key. | +------------------+--------------------------------------------------------+ | ``import`` | Import a private key (ONLY SUPPORTS ATTESTATION KEY). | +------------------+--------------------------------------------------------+ | ``set-touch`` | Set touch policy for OpenPGP keys. | +------------------+--------------------------------------------------------+ ykman openpgp keys attest [OPTIONS] KEY CERTIFICATE =================================================== Generate an attestation certificate for a key. Attestation is used to show that an asymmetric key was generated on the YubiKey and therefore doesn't exist outside the device. Arguments --------- .. table:: +-----------------+---------------------------------------------------------+ | Argument | Description | +=================+=========================================================+ | ``KEY`` | Key slot to attest (``sig``, ``enc``, ``aut``). | +-----------------+---------------------------------------------------------+ | ``CERTIFICATE`` || File to write attestation certificate to. Use ``'-'`` | | || to use ``stdout``. | +-----------------+---------------------------------------------------------+ Options ------- .. table:: +------------------------------+--------------------------------------------+ | Option | Description | +==============================+============================================+ | ``-h, --help`` | Show this message and exit. | +------------------------------+--------------------------------------------+ | ``-F, --format [PEM|DER]`` | Encoding format. [Default: ``PEM``] | +------------------------------+--------------------------------------------+ | ``-P, --pin TEXT`` | PIN code. | +------------------------------+--------------------------------------------+ ykman openpgp keys import [OPTIONS] KEY PRIVATE-KEY =================================================== Import a private key (ONLY SUPPORTS ATTESTATION KEY). Import a private key for OpenPGP attestation. Arguments --------- .. table:: +-----------------+---------------------------------------------------------+ | Argument | Description | +=================+=========================================================+ | ``KEY`` | Key slot to import (``sig``, ``enc``, ``aut``). | +-----------------+---------------------------------------------------------+ | ``PRIVATE-KEY`` || File containing the private key. Use ``'-'`` to | | || use ``stdin``. | +-----------------+---------------------------------------------------------+ Options ------- .. table:: +------------------------------+--------------------------------------------+ | Option | Description | +==============================+============================================+ | ``-h, --help`` | Show this message and exit. | +------------------------------+--------------------------------------------+ | ``-a, --admin-pin TEXT`` | Admin PIN for OpenPGP. | +------------------------------+--------------------------------------------+ ykman openpgp keys set-touch [OPTIONS] KEY POLICY ================================================= Set touch policy for OpenPGP keys. Arguments --------- .. table:: +-------------+-------------------------------------------------------------+ | Argument | Description | +=============+=============================================================+ | ``KEY`` | Key slot to set (``sig``, ``enc``, ``aut`` or ``att``). | +-------------+-------------------------------------------------------------+ | ``POLICY`` | Touch policy to set (``on``, ``off``, ``fixed``, ``cached`` | | | or ``cached-fixed``). | +-------------+-------------------------------------------------------------+ The touch policy is used to require user interaction for all operations using the private key on the YubiKey. The touch policy is set individually for each key slot. To see the current touch policy, run: .. code-block:: $ ykman openpgp info Touch Policies --------------- .. table:: +------------------+--------------------------------------------------------+ | Policy | Description | +==================+========================================================+ | ``Cached`` | Touch required, cached for 15s after use. | +------------------+--------------------------------------------------------+ | ``Cached-Fixed`` || Touch required, cached for 15s after use, can't be | | || disabled without a full reset. | +------------------+--------------------------------------------------------+ | ``Fixed`` | Touch required, can't be disabled without a full reset.| +------------------+--------------------------------------------------------+ | ``Off`` | No touch required. (default) | +------------------+--------------------------------------------------------+ | ``On`` | Touch required. | +------------------+--------------------------------------------------------+ Options ------- .. table:: +--------------------------+------------------------------------------------+ | Option | Description | +==========================+================================================+ | ``-h, --help`` | Show this message and exit. | +--------------------------+------------------------------------------------+ | ``-a, --admin-pin TEXT`` | Admin PIN for OpenPGP. | +--------------------------+------------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +--------------------------+------------------------------------------------+ ykman openpgp info [OPTIONS] ============================ Display status of OpenPGP application. Options ------- .. table:: +----------------+----------------------------------------------------------+ | Option | Description | +================+==========================================================+ | ``-h, --help`` | Show this message and exit. | +----------------+----------------------------------------------------------+ ykman openpgp reset [OPTIONS] ============================= Reset OpenPGP application. This action wipes all OpenPGP data, and sets all PINs to their default values. Options ------- .. table:: +------------------+--------------------------------------------------------+ | Option | Description | +==================+========================================================+ | ``-h, --help`` | Show this message and exit. | +------------------+--------------------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +------------------+--------------------------------------------------------+ ---- Click for `Yubico Support `_.