Provided by: s390-tools_2.34.0-0ubuntu2_amd64 bug

NAME

       pvsecret - Manage secrets for IBM Secure Execution guests

SYNOPSIS

       pvsecret [OPTIONS] <COMMAND>

DESCRIPTION

       Use pvsecret to manage secrets for IBM Secure Execution guests.  pvsecret can create add-
       secret requests on any architecture. On s390x systems, use pvsecret to add the secrets to
       the ultravisor secret store, list all secrets in the secret store, or lock the secret
       store to prevent any modifications in the future.

       The ultravisor secret store stores secrets for the IBM Secure Execution guest.  The secret
       store is cleared on guest reboot.

       Create requests only on trusted systems that are not the IBM Secure Execution guest where
       you want to inject the secrets. This approach prevents the secrets from being in cleartext
       on the guest. For extra safety, do an attestation with pvattest of your guest beforehand,
       and include the configuration UID in the secret request using --cuid. Refer to pvsecret-
       add(1) for more information. For all certificates, revocation lists, and host-key
       documents, both the PEM and DER input formats are supported.

PVSECRET COMMANDS

       create
           Create a new add-secret request

       add
           Perform an add-secret request (s390x only)

       lock
           Lock the secret-store (s390x only)

       list
           List all ultravisor secrets (s390x only)

       verify
           Verify that an add-secret request is sane

OPTIONS

       -v, --verbose
           Provide more detailed output.

       --version
           Print version information and exit.

       -h, --help
           Print help.

EXAMPLES

       Create the add-secret request on a trusted system. The program generates two files.
       addsecreq.bin contains the add-secret request. XAMPLE.yaml contains the non-confidential
       information about the generated secret. It contains name and id of the secret.

            trusted:~$ pvsecret create -k hkd.crt --cert CA.crt --cert ibmsk.crt --hdr pvimage -o addsecreq.bin association EXAMPLE
            Successfully generated the request
            Successfully wrote association info to 'EXAMPLE.yaml'
       On the SE-guest, add the secret from request to the secret store.

            seguest:~$ pvsecret add addsecreq.bin
            Successfully added the secret

       On the SE-guest, list the secrets currently stored.

            seguest:~$ pvsecret list
            Total number of secrets: 1

            0 Association:
                 94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2

       On the SE-guest, lock the secret store.

            seguest:~$ pvsecret lock
            Successfully locked secret store
            seguest:~$ pvsecret add addsecreq.bin
            error: Ultravisor: 'secret store locked' (0x0102)

SEE ALSO

       pvsecret-create(1) pvsecret-add(1) pvsecret-lock(1) pvsecret-list(1) pvsecret-verify(1)