SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from OpenSuSE openCryptoki-3.15.1-5.3.1.x86_64.rpm

P11SAK

Section: openCryptoki (1)
Updated: May 2020
Index 

NAME

p11sak - generate and list token keys in an openCryptoki token repository. 

SYNOPSIS

p11sakcommand[ARGS][OPTIONS]

p11sak--help|-h

 

DESCRIPTION

p11sak can be used to generate, list and delete the token keys in an openCryptoki token repository.The utility provides a flexible key management tool in openCryptoki to list and generate symmetric (DES; 3DES, AES) and asymetric (RSA, EC) keys.This tool is especially capable of a well defined listing of keys with their PKCS #11 attributes. 

COMMANDS

The p11sak tool can operate in three modes: when commandgenerate-keyis specified, it operates in the mode to generate a token key in the openCryptoki token repository.If commandlist-keyis given, it lists the keys specified in the arguments.If commandremove-keyis given, it removes the keys specified in the arguments.

 

generate-key

Use thegenerate-key|gen-key|gencommand and key argument to generate a token key with the respective[ARGS]and[OPTIONS].The--help|-hoption will show the arguments and options available.

 

list-key

Use thelist-key|ls-key|lscommand and key argument to list token keys given the respective[ARGS]and[OPTIONS].The--help|-hoption will show the arguments and options available.

 

list-key

Use theremove-key|rm-key|rmcommand and key argument to delete token keys given the respective[ARGS]and[OPTIONS].The--help|-hoption will show the arguments and options available.

 

Generating DES/3DES keys

p11sakgenerate-key|gen-key|gendes|3des--slotSLOTID--pinPIN--labelLABEL--attr[MRLSEDGVWUAXNT]--help | -h

Use thegenerate-keycommand with thedes|3deskey argument to generate a DES or 3DES key. The--slotSLOTIDand--pinPINoptions are required to set the token toSLOTIDand the token PIN. The--labeloption allows the user to set theLABELattribute of the key and--attr[MRLSEDGVWUAXNT]can be used to set the binary attributes of the key (see below for detailed description of the attributes).

 

Generating AES keys

p11sakgenerate-key|gen-key|genaes128|192|256--slotSLOTID--pinPIN--labelLABEL--attr[MRLSEDGVWUAXNT]--help | -h

Use thegenerate-keyaes128|192|256command and key argument to generate a AES key with 128, 192 or 256 bit length, respectively. The--slotSLOTIDand--pinPINoptions are required to set the token toSLOTIDand the token PIN. The--labeloption allows the user to set theLABELattribute of the key and--attr[MRLSEDGVWUAXNT]can be used to set the binary attributes of the key (see below for detailed description of the attributes).

 

Generating RSA keys

p11sakgenerate-key|gen-key|genrsa1024|2048|4096--slotSLOTID--pinPIN--labelLABEL--exponentEXP--attr[MRLSEDGVWUAXNT]--help | -h

Use thegenerate-keyrsa1024|2048|4096command and key argument to generate a 1024, 2048 or 4096 bit RSA key, respectively. The--slotSLOTIDand--pinPINoptions are required to set the token toSLOTIDand the token PIN. The--labeloption allows the user to set theLABELattribute of the key and--attr[MRLSEDGVWUAXNT]can be used to set the binary attributes of the key (see below for detailed description of the attributes). Furthermore, the--exponentEXPoptions allows the user to specify the exponent used for generating the RSA key. The default is set to 65537 according to the PKCS #11 standard.

 

Generating EC keys

p11sakgenerate-key|gen-key|genecCURVE--slotSLOTID--pinPIN--labelLABEL--attr[MRLSEDGVWUAXNT]--help | -h

Use thegenerate-keyecCURVEcommand and key argument to generate an EC key, whereCURVEspecifies the eliptic curve used to create the EC key. The following arguments can be used for respective curves:prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1| brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1| brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 | brainpoolP512t1

Note:not all curves will be supported by all tokens and key generation will fail when the specifiedCURVEis not supported. The--slotSLOTIDand--pinPINoptions are required to set the token toSLOTIDand the token PIN. The--labeloption allows the user to set theLABELattribute of the key and--attr[MRLSEDGVWUAXNT]can be used to set the binary attributes of the key (see below for detailed description of the attributes).

 

Listing symmetric and asymmetric keys

p11saklist-key|ls-key|lsdes|3des|aes|rsa|ec|public|private|secret--slotSLOTID--pinPIN--long | -l--help | -h

Use thelist-key | ls-key | lscommand and key argument to list DES, 3DES, AES, RSA or EC keys, respectively. Public, private or secret keys can also be listed irrespective of key type.

 

Deleting symmetric and asymmetric keys

p11sakremove-key|rm-key|rmdes|3des|aes|rsa|ec--slotSLOTID--pinPIN--labelLABEL--force | -f--help | -h

Use theremove-key | rm-key | rmcommand and key argument to delete DES, 3DES, AES, RSA or EC keys, respectively. All specified cipher keys will be promted to be deleted unless a specific key with the --labelLABELargument is selected. The user will be promted to confirm the deletion of the key. To suppress the promt, use the --force | -foption.

 

ARGS

 

des | 3des | aes | rsa | ec | public | private | secret

selects the respective symmetric or asymetric key to be generated or listed. Thepublic|private|secretargument can only be used with thelist-keycommand to list either public, private or secret keys.

 

128|192|256

theaesargument has to be followed by either 128, 192 or 256 to set the respective key bit length of the AES key.

 

1024|2048|4096

thersaargument has to be followed by either 1024, 2048 or 4096 to set the respective key bit length of the RSA key.

 

prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 | brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 | brainpoolP512t1

theecargument has to be followed by either of theseCURVEto select the EC curve used to generate the key.

 

OPTIONS

 

--slot SLOTID

sets the token toSLOTID

 

--pin PIN

sets the token PIN toPIN

 

--label LABEL

sets the key label attribute toLABEL

 

--exponent EXP

sets the RSA exponent toEXP

 

--attr [M R L S E D G V W U A X N T]

sets the binary attributes of a key.

Note:not all binary attributes are applicable to all keys and will be omitted if not applicable.

The attributes are set toFALSEby default and switched toTRUEwhen the letter that is associated with the given binary attribute is specified. The following letters are associated with the respectiveCK_ATTRIBUTE:

*
M- CKA_MODIFIABLE
*
R- CKA_DERIVE
*
L- CKA_LOCAL
*
S- CKA_SENSITIVE
*
E- CKA_ENCRYPT
*
D- CKA_DECRYPT
*
G- CKA_SIGN
*
V- CKA_VERIFY
*
W- CKA_WRAP
*
U- CKA_UNWRAP
*
A- CKA_ALWAYS_SENSITIVE
*
X- CKA_EXTRACTABLE
*
N- CKA_NEVER_EXTRACTABLE

CKA_TOKEN and CKA_PRIVATE are set by default toTRUE.For multiple attributes, combine the letters in a string without white space, e. g. 'MLD'.

 

--long | -l

prints thelist-keyoutput in long format. If omitted, the output is in a short, tabular format.

 

--force | -f

to be used with the remove-keycommand to suppress the promt whether the user wants to delete the specified keys.

 

--help | -h

prints help for the usage ofp11sakand/or the respective command.


 

Index

NAME
SYNOPSIS
DESCRIPTION
COMMANDS
generate-key
list-key
list-key
Generating DES/3DES keys
Generating AES keys
Generating RSA keys
Generating EC keys
Listing symmetric and asymmetric keys
Deleting symmetric and asymmetric keys
ARGS
des | 3des | aes | rsa | ec | public | private | secret
128|192|256
1024|2048|4096
prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 | brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 | brainpoolP512t1
OPTIONS
--slot SLOTID
--pin PIN
--label LABEL
--exponent EXP
--attr [M R L S E D G V W U A X N T]
--long | -l
--force | -f
--help | -h

This document was created byman2html,using the manual pages.