Provided by: s390-tools_2.29.0-0ubuntu2.2_amd64 bug

NAME

       pvsecret - Manage secrets for IBM Secure Execution guests

SYNOPSIS

       pvsecret [OPTIONS] <COMMAND>

DESCRIPTION

       Use pvsecret to manage secrets for IBM Secure Execution guests.  pvsecret can create add-
       secret requests on any architecture. On s390x systems, use pvsecret to add the secrets to
       the ultravisor secret store, list all secrets in the secret store, or lock the secret
       store to prevent any modifications in the future.

       The ultravisor secret store stores secrets for the IBM Secure Execution guest.  The secret
       store is cleared on guest reboot.

       Create requests only on trusted systems that are not the IBM Secure Execution guest where
       you want to inject the secrets. This approach prevents the secrets from being in cleartext
       on the guest. For extra safety, do an attestation with pvattest of your guest beforehand,
       and include the configuration UID in the secret request using --cuid. Refer to pvsecret-
       add(1) for more information.  For all certificates, revocation lists, and host-key
       documents, both the PEM and DER input formats are supported.

OPTIONS

       -v, --verbose
           Provide more detailed output.

       --version
           Print version information and exit.

EXAMPLES

       Create the add-secret request on a trusted system. The program generates three files.
       addsecreq.bin contains the add-secret request. TEST.yaml contains the non-confidential
       information about the generated secret. It contains the name and ID of the secret. TEST
       contains the plaintext secret that is encrypted in the request. It can be used to generate
       add-secret requests for a different guest with the same secret. Destroy the secret when it
       is not used anymore.

            trusted:~$ pvsecret create -k hkd.crt --cert CA.crt --cert ibmsk.crt --hdr pvimage -o addsecreq.bin association EXAMPLE
            Successfully generated the request
            Successfully wrote association info to 'EXAMPLE.yaml'
            Successfully wrote generated association secret to 'EXAMPLE'
       On the SE-guest, add the secret from request to the secret store.

            seguest:~$ pvsecret add addsecreq.bin
            Successfully added the secret

       On the SE-guest, list the secrets currently stored.

            seguest:~$ pvsecret list
            Total number of secrets: 1

            0 Association:
                 94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2

       On the SE-guest, lock the secret store.

            seguest:~$ pvsecret lock
            Successfully locked secret store
            seguest:~$ pvsecret add addsecreq.bin
            error: Ultravisor: 'secret store locked' (0x0102)

SEE ALSO

       pvsecret-create(1) pvsecret-add(1) pvsecret-lock(1) pvsecret-list(1) pvsecret-version(1)