NAME

       yhsm-generate-keys ‐ Generate AEADs with secrets for YubiKeys using a YubiHSM

SYNOPSIS

       yhsm-generate-keys --key-handles KEY_HANDLES --start-public-id START_ID [options]

DESCRIPTION

       With  this  tool,  a  YubiHSM can generate random secrets (using it's internal true random
       number generator), and these secrets protected in AEAD files can be  stored  on  the  host
       computer.

       The  AEADs  will  be ready to be used by for example yhsm-yubikey-ksm(1) ), as a part of a
       YubiKey OTP validation service.

       To program YubiKeys with the generated secrets,  it  is  possible  to  decrypt  the  AEADs
       (knowledge of the AES key used inside the YubiHSM is required) using yhsm-decrypt-aead(1)

OPTIONS

       -D, --device
              Device file name (default: /dev/ttyACM0).

       -v, --verbose
              Enable verbose operation.

       --debug
              Enable debug printout, including all data sent to/from YubiHSM.

       -O dir Base output directory (default: /var/cache/yubikey-ksm/aeads).

       -c integer
              Number of AEADs to generate.

       --public-id-chars integer
              Number of chars in generated public ids (default: 12). Changing this might not work
              well.

       --key-handles kh [kh ...]
              Key handles to encrypt the generated secrets with. Examples : "1", "0xabcd".

       --start-public-id id
              Public id of the first generated secret, in modhex.

       --random-nonce
              Use random nonce generated from YubiHSM.

EXIT STATUS

       0   Secrets generated successfully.

       1   Failed to generate secrets.

BUGS

       Report python-pyhsm/yhsm-generate-keys bugs in the issue tracker ⟨https://github.com/
       Yubico/python-pyhsm/issues/⟩

SEE ALSO

       The home page ⟨https://developers.yubico.com/python-pyhsm/⟩

       YubiHSMs and YubiKeys can be obtained from Yubico ⟨http://www.yubico.com/⟩.