keylime_tenant - Man Page
Keylime tenant management tool for agent provisioning and policy management
Synopsis
keylime_tenant [Options] [COMMAND]
(Most operations require root privileges, use with sudo)
Description
keylime_tenant is the primary command-line interface for managing Keylime agents and policies. It allows users to provision agents with TPM-based attestation, manage runtime policies, measured boot policies, and interact with Keylime registrar and verifier services.
The tenant can add, delete, update, and monitor agents, as well as manage various types of policies including runtime policies (for IMA/EVM attestation) and measured boot policies (for boot-time attestation). It supports both push and pull models for agent communication.
You can run keylime_tenant on the same system as the Keylime registrar or verifier, or on a separate system.
Commands
- -c, --command COMMAND
Specify the command to execute. Valid commands are:
- add: Add a new agent to the system (default)
- delete: Remove an agent from the system
- update: Update an existing agent's configuration
- regstatus: Show agent status from registrar
- cvstatus: Show agent status from cloud verifier
- status: Show combined agent status
- reglist: List all agents in registrar
- cvlist: List all agents in cloud verifier
- reactivate: Reactivate a failed agent
- regdelete: Delete agent from registrar only
- bulkinfo: Get bulk information about agents
- addruntimepolicy: Add a runtime policy (requires --runtime-policy or --allowlist)
- showruntimepolicy: Display a runtime policy (requires --runtime-policy-name)
- deleteruntimepolicy: Remove a runtime policy (requires --runtime-policy-name)
- updateruntimepolicy: Update a runtime policy (requires --runtime-policy-name)
- listruntimepolicy: List all runtime policies
- addmbpolicy: Add a measured boot policy (requires --mb-policy-name)
- showmbpolicy: Display a measured boot policy (requires --mb-policy-name)
- deletembpolicy: Remove a measured boot policy (requires --mb-policy-name)
- updatembpolicy: Update a measured boot policy (requires --mb-policy-name)
- listmbpolicy: List all measured boot policies
Options
- -h, --help
Show help message and exit
- --push-model
Enable push model (avoid requests to keylime-agent)
- -t, --targethost AGENT_IP
The IP address of the host to provision
- -tp, --targetport AGENT_PORT
The port of the host to provision
- -r, --registrarhost REGISTRAR_IP
The IP address of the registrar where to retrieve the agents data from
- -rp, --registrarport REGISTRAR_PORT
The port of the registrar
- --cv_targethost CV_AGENT_IP
The IP address of the host to provision that the verifier will use (optional). Use only if different than argument to option -t/--targethost
- -v, --cv VERIFIER_IP
The IP address of the cloud verifier
- -vp, --cvport VERIFIER_PORT
The port of the cloud verifier
- -vi, --cvid VERIFIER_ID
The unique identifier of a cloud verifier
- -nvc, --no-verifier-check
Disable the check to confirm if the agent is being processed by the specified verifier. Use only with -c/--command delete or reactivate
- -u, --uuid AGENT_UUID
UUID for the agent to provision
- -f, --file FILE
Deliver the specified plaintext file to the provisioned agent
- --cert CA_DIR
Create and deliver a certificate using a CA created by ca-util. Pass in the CA directory or use "default" to use the standard directory
- -k, --key KEYFILE
An intermediate key file produced by user_data_encrypt
- -p, --payload PAYLOAD
Specify the encrypted payload to deliver with encrypted keys specified by -k
- --include INCL_DIR
Include additional files in provided directory in certificate zip file. Must be specified with --cert
- --runtime-policy RUNTIME_POLICY
Specify the file path of a runtime policy
- --runtime-policy-checksum RUNTIME_POLICY_CHECKSUM
Specify the SHA-256 checksum of a runtime policy
- --runtime-policy-sig-key RUNTIME_POLICY_SIG_KEY
Specify the public key file used to validate the runtime policy signature
- --runtime-policy-url RUNTIME_POLICY_URL
Specify the URL of a remote runtime policy
- --runtime-policy-name RUNTIME_POLICY_NAME
The name of the runtime policy to operate with
- --mb-policy MB_POLICY
The measured boot policy to operate with
- --mb-policy-name MB_POLICY_NAME
The name of the measured boot policy to operate with
- --tpm_policy TPM_POLICY
Specify a TPM policy in JSON format. Example: {"15":"0000000000000000000000000000000000000000"}
- --verify
Block on cryptographically checked key derivation confirmation from the agent once it has been provisioned
- --supported-version SUPPORTED_VERSION
API version that is supported by the agent. Detected automatically by default
Deprecated Options
The following options are deprecated and may be removed in future versions:
- --allowlist ALLOWLIST
DEPRECATED: Migrate to runtime policies for continued functionality. Specify the file path of an allowlist
- --allowlist-url ALLOWLIST_URL
DEPRECATED: Migrate to runtime policies for continued functionality. Specify the URL of a remote allowlist
- --allowlist-name ALLOWLIST_NAME
DEPRECATED: Migrate to runtime policies for continued functionality. The name of allowlist to operate with
- --exclude IMA_EXCLUDE
DEPRECATED: Migrate to runtime policies for continued functionality. Specify the location of an IMA exclude list
- --mb_refstate MB_POLICY
DEPRECATED: Use --mb-policy instead. Specify the location of a measured boot reference state
- --signature-verification-key IMA_SIGN_VERIFICATION_KEYS
DEPRECATED: Provide verification keys as part of a runtime policy for continued functionality. Specify an IMA file signature verification key
Examples
Add a new agent:
sudo keylime_tenant -c add -t 192.168.1.100 -u agent-001
Add an agent with runtime policy:
sudo keylime_tenant -c add -t 192.168.1.100 -u agent-001 --runtime-policy /path/to/policy.json
Check agent status:
sudo keylime_tenant -c status -u agent-001
Delete an agent:
sudo keylime_tenant -c delete -u agent-001
List all agents:
sudo keylime_tenant -c cvlist
Add a runtime policy:
sudo keylime_tenant -c addruntimepolicy --runtime-policy-name my-policy --runtime-policy /path/to/policy.json
Add a measured boot policy:
sudo keylime_tenant -c addmbpolicy --mb-policy-name my-mb-policy --mb-policy /path/to/mb-policy.json
Provision agent with certificate delivery:
sudo keylime_tenant -c add -t 192.168.1.100 -u agent-001 --cert default
Provision agent with custom verifier:
sudo keylime_tenant -c add -t 192.168.1.100 -u agent-001 -v 192.168.1.200 -vp 8881
Files
- /etc/keylime/tenant.conf
Default configuration file for keylime_tenant. Contains all tenant related settings.
Prerequisites
- Keylime verifier service running (default: 127.0.0.1:8881)
- Keylime registrar service running (default: 127.0.0.1:8891)
- Root privileges (use sudo)
- Network connectivity to registrar and verifier services
- Valid TLS configuration in /etc/keylime/tenant.conf
See Also
keylime_verifier(8), keylime_registrar(8), keylime_agent(8)
For more information about Keylime, visit: <https://keylime.dev>
Bugs
Report bugs to the Keylime project at: <https://github.com/keylime/keylime/issues>
Author
Keylime Developers
Referenced By
keylime-policy(1), keylime_registrar(8), keylime_verifier(8).