NAME¶
yhsm-import-keys ‐ import YubiKey secrets to YubiHSM
SYNOPSIS¶
yhsm-import-keys --key-handles ... [
options]
DESCRIPTION¶
Read YubiKey token data from standard input, and store it in files or in the
YubiHSM internal database.
The default mode is to turn each YubiKey secret into an AEAD (Authenticated
Encryption with Associated Data) block that is stored in a file on the host
computer (one file per YubiKey). This enables validation of virtually
unlimited numbers of YubiKey's OTPs.
If --internal-db is used, the YubiKey secret will be stored inside the YubiHSM,
and complete validation (including counter management) will be done inside the
YubiHSM. The internal database is currently limited to 1024 entrys.
OPTIONS¶
- -D, --device
- device file name (default: /dev/ttyACM0)
- -v, --verbose
- enable verbose operation
- --debug
- enable debug printout, including all data sent to/from YubiHSM
- --public_id_chars num
- number of chars to pad public id to (default: 12)
- --key-handles kh
- key handles to use for decoding OTPs. Examples : "1",
"0xabcd"
- --output-dir dir, --aead-dir dir, -O dir
- base directory for AEADs (default: /var/cache/yubikey-ksm/aeads)
- --internal-db
- add entrys to YubiHSM internal database, rather than creating AEAD
files
- --random-nonce
- use random nonce generated from YubiHSM
The format of the input matches the export format of various Yubico tools,
notably the PHP based soft KSM ⟨URL:
http://code.google.com/p/yubikey-ksm/ ⟩.
An example file, with a single entry for id 4711 would be :
# ykksm 1
123456,ftftftcccc,534543524554,fcacd309a20ce1809c2db257f0e8d6ea,000000000000,,,
(seqno, public id, private uid, AES key, dunno,,,)
The #ykksm 1 is a file marker, and has to be on the very first line of input.
BUGS¶
Report python-pyhsm/yhsm-import-keys bugs in the issue tracker ⟨URL:
https://github.com/Yubico/python-pyhsm/issues/ ⟩
SEE ALSO¶
The home page ⟨URL:
https://developers.yubico.com/python-pyhsm/ ⟩
YubiHSMs can be obtained from Yubico ⟨URL:
http://www.yubico.com/
⟩.