Provided by: yubihsm-shell_2.6.0-4_amd64 
NAME
yubihsm-shell - manual page for yubihsm-shell 2.6.0
SYNOPSIS
yubihsm-shell [OPTION]...
DESCRIPTION
-h, --help
Print help and exit
-V, --version
Print version and exit
-a, --action=ENUM
Action to perform (possible values="benchmark", "blink-device", "create-otp-aead",
"decrypt-aesccm", "decrypt-aescbc", "decrypt-aesecb", "decrypt-oaep",
"decrypt-otp", "decrypt-pkcs1v15", "delete-object", "derive-ecdh",
"encrypt-aesccm", "encrypt-aescbc", "encrypt-aesecb", "generate-asymmetric-key",
"generate-hmac-key", "generate-otp-aead-key", "generate-wrap-key",
"generate-symmetric-key", "get-device-info", "get-logs", "get-object-info",
"get-opaque", "get-option", "get-pseudo-random", "get-public-key",
"get-storage-info", "get-template", "get-wrapped", "get-rsa-wrapped",
"get-rsa-wrapped-key", "get-device-pubkey", "list-objects", "put-asymmetric-key",
"put-authentication-key", "put-hmac-key", "put-opaque", "put-option",
"put-otp-aead-key", "put-symmetric-key", "put-template", "put-wrap-key",
"put-rsa-wrapkey", "put-public-wrapkey", "put-wrapped", "put-rsa-wrapped",
"put-rsa-wrapped-key", "randomize-otp-aead", "reset", "set-log-index",
"sign-attestation-certificate", "sign-ecdsa", "sign-eddsa", "sign-hmac",
"sign-pkcs1v15", "sign-pss", "sign-ssh-certificate")
-p, --password=STRING
Authentication password
--authkey=INT
Authentication key (default=`1')
-i, --object-id=SHORT
Object ID (default=`0')
-l, --label=STRING
Object label (default=`')
-d, --domains=STRING
Object domains (default=`1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16')
-c, --capabilities=STRING
Capabilities for an object (default=`0')
-t, --object-type=STRING
Object type (default=`any')
-y, --ykhsmauth-label=STRING
Credential label on YubiKey (implicitly enables ykhsmauth)
-r, --ykhsmauth-reader=STRING Only use a matching YubiKey reader name
(default=`')
--delegated=STRING
Delegated capabilities (default=`0')
--new-password=STRING
New authentication password
-A, --algorithm=STRING
Operation algorithm (default=`any')
--oaep=STRING
OAEP algorithm. Used primarily with asymmetric wrap (default=`rsa-oaep-sha256')
--mgf1=STRING
MGF1 algorithm. Used primarily with asymmetric wrap (default=`mgf1-sha256')
--nonce=INT
OTP nonce
--iv=STRING
An initialization vector as a hexadecimal string
--count=INT
Number of bytes to request (default=`256')
--duration=INT
Blink duration in seconds (default=`10')
--wrap-id=INT
Wrap key ID
--include-seed
Include seed when exporting an ED25519 key under wrap (default=off)
--template-id=INT
Template ID
--attestation-id=INT
Attestation ID
--log-index=INT
Log index
--opt-name=STRING
Device option name
--opt-value=STRING
Device option value
--in=STRING
Input data (filename) (default=`-')
--out=STRING
Output data (filename) (default=`-')
--informat=ENUM
Input format (possible values="default", "base64", "binary", "PEM", "password",
"hex", "ASCII" default=`default')
--outformat=ENUM
Input and output format (possible values="default", "base64", "binary", "PEM",
"hex", "ASCII" default=`default')
-f, --config-file=STRING
Configuration file to read (default=`')
-C, --connector=STRING
List of connectors to use
--cacert=STRING
HTTPS cacert for connector
--cert=STRING
HTTPS client certificate to authenticate with
--key=STRING
HTTPS client certificate key
--proxy=STRING
Proxy server to use for connector
--noproxy=STRING
Comma separated list of hosts ignore proxy for
-v, --verbose=INT
Print more information (default=`0')
-P, --pre-connect
Connect immediately in interactive mode (default=off)
--device-pubkey=STRING
List of device public keys allowed for asymmetric authentication