.. Security_Domain_SD_Commands.rst .. _security-domain-sd-commands-label: =============================== Security Domain (SD) Commands =============================== The Security Domain (SD) command described here is a hidden command, it is listed when you run the command, ``ykman --full-help``. ykman sd [OPTIONS] COMMAND [ARGS] ================================== Manage the Security Domain (SD) application, which holds keys for Secure Copy Protocol (SCP). Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ Commands --------- .. table:: +-------------------+-------------------------------------------------------+ | Commmand | Description | +===================+=======================================================+ | ``info`` | List keys in the Security Domain of the YubiKey. | +-------------------+-------------------------------------------------------+ | ``keys`` | Manage SCP keys. | +-------------------+-------------------------------------------------------+ | ``reset`` | Reset all Security Domain data. | +-------------------+-------------------------------------------------------+ ykman sd info [OPTIONS] ======================= List keys in the Security Domain of the YubiKey. Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ ykman sd keys [OPTIONS] COMMAND [ARGS] ======================================= Manage SCP keys. Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ Commands --------- .. table:: +-------------------+-----------------------------------------------------------+ | Commmand | Description | +===================+===========================================================+ | ``delete`` | Delete a key or keyset. | +-------------------+-----------------------------------------------------------+ | ``export`` | Export certificate chain for a key. | +-------------------+-----------------------------------------------------------+ | ``generate`` | Generate an asymmetric key pair. | +-------------------+-----------------------------------------------------------+ | ``import`` | Import a key or certificate. | +-------------------+-----------------------------------------------------------+ | ``set-allowlist`` | Set an allowlist of certificate serial numbers for a key. | +-------------------+-----------------------------------------------------------+ ykman sd keys delete [OPTIONS] KID KVN ======================================== Deletes the key or keyset with the given Key ID (KID) and Key Version Number (KVN). Set either KID or KVN to ``0`` to use it as a wildcard and delete all keys matching the specific KID or KVN. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` | Key reference for the key to delete. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ |`` -f, --force`` | Confirm the action without prompting. | +---------------------------------+--------------------------------------------+ ykman sd keys export [OPTIONS] KID KVN OUTPUT ============================================== Export certificate chain for a key. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` || Key reference for the certificate chain | | || to output. | +---------------------------------+--------------------------------------------+ | ``OUTPUT`` || File to write the certificate chain to, | | || Use '-' to use stdout. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ ykman sd keys generate [OPTIONS] KID KVN PUBLIC-KEY ==================================================== Generate an asymmetric key pair. The private key is generated on the YubiKey, and written to one of the slots. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` || Key reference for the new key. | +---------------------------------+--------------------------------------------+ | ``PUBLIC-KEY`` || File containing the generated public key | | || Use '-' to use stdout. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ | ``-r, --replace-kvn INTEGER`` || Replace an existing key of the same type, | | || the same KID. | +---------------------------------+--------------------------------------------+ ykman sd keys import [OPTIONS] KID KVN INPUT ============================================= Import a key or certificate. ``KID 0x01`` expects the input to be a ":"-separated triple of K-ENC:K-MAC:K-DEK. ``KID 0x11, 0x13, 0x15`` expect the input to be a file containing a private key and (optionally) a certificate chain. ``KID 0x10, 0x20-0x2F`` expect the file to contain a CA-KLOC certificate. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` | Key reference for the new key. | +---------------------------------+--------------------------------------------+ | ``INPUT`` || SCP03 keyset, or input file. | | || Use '-' to use stdout. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ | ``-p, --password TEXT`` || Password used to decrypt the file, | | || if needed. | +---------------------------------+--------------------------------------------+ | ``-r, --replace-kvn INTEGER`` || Replace an existing key of the same type, | | || the same KID. | +---------------------------------+--------------------------------------------+ ykman sd keys set-allowlist [OPTIONS] KID KVN [SERIALS] ======================================================== Set an allowlist of certificate serial numbers for a key. Each certificate in the chain used when authenticating an SCP11a/c session is checked and rejected if their serial number is not in this ``allowlist``. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` | Key reference for the allowlist to set. | +---------------------------------+--------------------------------------------+ | ``SERIALS`` | Serial numbers of certificates to allow. | | | Separate serial numbers using a space. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ ykman sd reset [OPTIONS] ========================= Reset all Security Domain data. This action wipes all keys and restore factory settings for the Security Domain on the YubiKey. Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +---------------------------------+--------------------------------------------+