yhsm-generate-keys man page

yhsm-generate-keys ā€” Generate AEADs with secrets for YubiKeys using a YubiHSM


yhsm-generate-keys --key-handles KEY_HANDLES --start-public-id START_ID [options]


With this tool, a YubiHSM can generate random secrets (using it's internal true random number generator), and these secrets protected in AEAD files can be stored on the host computer.

The AEADs will be ready to be used by for example yhsm-yubikey-ksm(1) ), as a part of a YubiKey OTP validation service.

To program YubiKeys with the generated secrets, it is possible to decrypt the AEADs (knowledge of the AES key used inside the YubiHSM is required) using yhsm-decrypt-aead(1)


-D, --device

Device file name (default: /dev/ttyACM0).

-v, --verbose

Enable verbose operation.


Enable debug printout, including all data sent to/from YubiHSM.

-O dir

Base output directory (default: /var/cache/yubikey-ksm/aeads).

-c integer

Number of AEADs to generate.

--public-id-chars integer

Number of chars in generated public ids (default: 12). Changing this might not work well.

--key-handles kh [kh ...]

Key handles to encrypt the generated secrets with. Examples : "1", "0xabcd".

--start-public-id id

Public id of the first generated secret, in modhex.


Use random nonce generated from YubiHSM.

Exit Status


Secrets generated successfully.


Failed to generate secrets.


Report python-pyhsm/yhsm-generate-keys bugs in the issue tracker

See Also

The home page

YubiHSMs and YubiKeys can be obtained from Yubico.

Referenced By


June 2012 python-pyhsm