NAME¶
yhsm-keystore-unlock ‐ Unlock the keystore in a YubiHSM
SYNOPSIS¶
yhsm-keystore-unlock [
options]
DESCRIPTION¶
In versions of the YubiHSM before 1.0, the YubiHSM could be protected using a
'HSM password'. The YubiHSM would unlock it's cryptographic functions if the
correct password was given, but it was a simple comparision test.
In YubiHSM 1.0, the password was changed into an actual key that was used to
decrypt the contents of the YubiHSM internal key store, which was then AES-256
encrypted using the new 'Master key' when stored in the device.
In YubiHSM 1.0, the option to also require an YubiKey OTP to unlock the keystore
was also added. One or more 'Admin YubiKeys' can be configured in the YubiHSM,
and an OTP from one of these must also be provided before the YubiHSM will
enable it's cryptographic functions.
The OTP is simply validated against the non-encrypted internal database (not key
store) in the YubiHSM though, but together with a 'Master key' not stored on
the server with the YubiHSM, it provides enhanced security by being a second
factor that an attacker can't just intercept even if the server is
compromised.
OPTIONS¶
- -D, --device
- device file name (default: /dev/ttyACM0).
- -v, --verbose
- enable verbose operation.
- --debug
- enable debug printout, including all data sent to/from YubiHSM.
- --no-otp
- skip the prompt for an OTP. For use by scripts where no OTP is required
and the Master Key is stored on the server with the YubiHSM.
- --stdin
- read password and/or OTP from stdin rather than prompting for them. Python
prompts does not accept piped input, so this option have to be used to
unlock the YubiHSM from a script for example.
EXIT STATUS¶
- 0
- YubiHSM keystore successfully unlocked.
- 1
- Failed to unlock keystore.
BUGS¶
Report python-pyhsm/yhsm-keystore-unlock bugs in the issue tracker ⟨URL:
https://github.com/Yubico/python-pyhsm/issues/ ⟩
SEE ALSO¶
The home page ⟨URL:
https://developers.yubico.com/python-pyhsm/ ⟩
YubiHSMs can be obtained from Yubico ⟨URL:
http://www.yubico.com/
⟩.