xenial (1) yhsm-keystore-unlock.1.gz
NAME
yhsm-keystore-unlock ‐ Unlock the keystore in a YubiHSM
SYNOPSIS
yhsm-keystore-unlock [options]
DESCRIPTION
In versions of the YubiHSM before 1.0, the YubiHSM could be protected using a 'HSM password'. The YubiHSM
would unlock it's cryptographic functions if the correct password was given, but it was a simple
comparision test.
In YubiHSM 1.0, the password was changed into an actual key that was used to decrypt the contents of the
YubiHSM internal key store, which was then AES-256 encrypted using the new 'Master key' when stored in
the device.
In YubiHSM 1.0, the option to also require an YubiKey OTP to unlock the keystore was also added. One or
more 'Admin YubiKeys' can be configured in the YubiHSM, and an OTP from one of these must also be
provided before the YubiHSM will enable it's cryptographic functions.
The OTP is simply validated against the non-encrypted internal database (not key store) in the YubiHSM
though, but together with a 'Master key' not stored on the server with the YubiHSM, it provides enhanced
security by being a second factor that an attacker can't just intercept even if the server is
compromised.
OPTIONS
-D, --device
device file name (default: /dev/ttyACM0).
-v, --verbose
enable verbose operation.
--debug
enable debug printout, including all data sent to/from YubiHSM.
--no-otp
skip the prompt for an OTP. For use by scripts where no OTP is required and the Master Key is
stored on the server with the YubiHSM.
--stdin
read password and/or OTP from stdin rather than prompting for them. Python prompts does not
accept piped input, so this option have to be used to unlock the YubiHSM from a script for
example.
EXIT STATUS
0 YubiHSM keystore successfully unlocked.
1 Failed to unlock keystore.
BUGS
Report python-pyhsm/yhsm-keystore-unlock bugs in the issue tracker ⟨https://github.com/Yubico/
python-pyhsm/issues/⟩
SEE ALSO
The home page ⟨https://developers.yubico.com/python-pyhsm/⟩
YubiHSMs can be obtained from Yubico ⟨http://www.yubico.com/⟩.