yubihsm-shell - Man Page

manual page for yubihsm-shell 2.4.2


yubihsm-shell [OPTION]...


-h,  --help

Print help and exit


Print help, including hidden options, and exit

-V,  --version

Print version and exit

-a,  --action=ENUM

Action to perform  (possible values="benchmark", "blink-device", "create-otp-aead", "decrypt-aesccm", "decrypt-aescbc", "decrypt-aesecb", "decrypt-oaep", "decrypt-otp", "decrypt-pkcs1v15", "delete-object", "derive-ecdh", "encrypt-aesccm", "encrypt-aescbc", "encrypt-aesecb", "generate-asymmetric-key", "generate-hmac-key", "generate-otp-aead-key", "generate-wrap-key", "generate-symmetric-key", "get-device-info", "get-logs", "get-object-info", "get-opaque", "get-option", "get-pseudo-random", "get-public-key", "get-storage-info", "get-template", "get-wrapped", "get-device-pubkey", "list-objects", "put-asymmetric-key", "put-authentication-key", "put-hmac-key", "put-opaque", "put-option", "put-otp-aead-key", "put-symmetric-key", "put-template", "put-wrap-key", "put-wrapped", "randomize-otp-aead", "reset", "set-log-index", "sign-attestation-certificate", "sign-ecdsa", "sign-eddsa", "sign-hmac", "sign-pkcs1v15", "sign-pss", "sign-ssh-certificate")

-p,  --password=STRING

Authentication password


Authentication key  (default=`1')

-i,  --object-id=SHORT

Object ID  (default=`0')

-l,  --label=STRING

Object label  (default=`')

-d,  --domains=STRING

Object domains (default=`1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16')

-c,  --capabilities=STRING

Capabilities for an object  (default=`0')

-t,  --object-type=STRING

Object type  (default=`any')

-y,  --ykhsmauth-label=STRING

Credential label on YubiKey (implicitly enables ykhsmauth)

-r,  --ykhsmauth-reader=STRING Only use a matching YubiKey reader name



Delegated capabilities  (default=`0')


New authentication password

-A,  --algorithm=STRING

Operation algorithm  (default=`any')


OTP nonce


An initialization vector as a hexadecimal string


Number of bytes to request  (default=`256')


Blink duration in seconds  (default=`10')


Wrap key ID


Template ID


Attestation ID


Log index


Device option name


Device option value


Input data (filename)  (default=`-')


Output data (filename)  (default=`-')


Input format  (possible values="default", "base64", "binary", "PEM", "password", "hex", "ASCII" default=`default')


Input and output format  (possible values="default", "base64", "binary", "PEM", "hex", "ASCII" default=`default')

-f,  --config-file=STRING

Configuration file to read  (default=`')

-C,  --connector=STRING

List of connectors to use


HTTPS cacert for connector


HTTPS client certificate to authenticate with


HTTPS client certificate key


Proxy server to use for connector


Comma separated list of hosts ignore proxy for

-v,  --verbose=INT

Print more information  (default=`0')

-P,  --pre-connect

Connect immediately in interactive mode (default=off)


January 2024 yubihsm-shell 2.4.2