xenial (1) yhsm-keystore-unlock.1.gz

Provided by: yhsm-tools_1.0.4l-1_all bug

NAME

       yhsm-keystore-unlock ‐ Unlock the keystore in a YubiHSM

SYNOPSIS

       yhsm-keystore-unlock [options]

DESCRIPTION

       In versions of the YubiHSM before 1.0, the YubiHSM could be protected using a 'HSM password'. The YubiHSM
       would unlock it's cryptographic functions if the  correct  password  was  given,  but  it  was  a  simple
       comparision test.

       In  YubiHSM 1.0, the password was changed into an actual key that was used to decrypt the contents of the
       YubiHSM internal key store, which was then AES-256 encrypted using the new 'Master key'  when  stored  in
       the device.

       In  YubiHSM  1.0, the option to also require an YubiKey OTP to unlock the keystore was also added. One or
       more 'Admin YubiKeys' can be configured in the YubiHSM, and an  OTP  from  one  of  these  must  also  be
       provided before the YubiHSM will enable it's cryptographic functions.

       The  OTP  is  simply validated against the non-encrypted internal database (not key store) in the YubiHSM
       though, but together with a 'Master key' not stored on the server with the YubiHSM, it provides  enhanced
       security  by  being  a  second  factor  that  an  attacker  can't  just  intercept  even if the server is
       compromised.

OPTIONS

       -D, --device
              device file name (default: /dev/ttyACM0).

       -v, --verbose
              enable verbose operation.

       --debug
              enable debug printout, including all data sent to/from YubiHSM.

       --no-otp
              skip the prompt for an OTP. For use by scripts where no OTP is required  and  the  Master  Key  is
              stored on the server with the YubiHSM.

       --stdin
              read  password  and/or  OTP  from  stdin  rather than prompting for them.  Python prompts does not
              accept piped input, so this option have to be used  to  unlock  the  YubiHSM  from  a  script  for
              example.

EXIT STATUS

       0   YubiHSM keystore successfully unlocked.

       1   Failed to unlock keystore.

BUGS

       Report python-pyhsm/yhsm-keystore-unlock bugs in the issue tracker ⟨https://github.com/Yubico/
       python-pyhsm/issues/⟩

SEE ALSO

       The home page ⟨https://developers.yubico.com/python-pyhsm/⟩

       YubiHSMs can be obtained from Yubico ⟨http://www.yubico.com/⟩.