The yubihsm-shell is the administrative and testing tool you can use to interact with and configure the YubiHSM 2 device.
The Shell can be invoked in two different ways: interactively, or as a command-line tool useful for scripting.
Additional information on the various commands can be obtained with the help command in interactive mode or by referring to the --help argument for the command-line mode.
Examples of commands can also be found in the Commands documentation section.
Commands and subcommands require specific arguments to work. The Shell will return an error message if the command syntax is incorrect, pointing at the first invalid argument.
Arguments have different types. In interactive mode pre-defined values for command types can be tab-completed (Tab Completion does not work on Windows).
Possible command types are:
| Argument Identifier | Type | Description |
|---|---|---|
u |
number |
A generic (hex or dec) unsigned number |
w |
word |
A generic (hex or dec) 16-bit unsigned number |
b |
byte |
A generic (hex or dec) 8-bit unsigned number |
i |
input data |
Input data, generally defaults to standard input |
F |
output filename |
Output file name, generally defaults to standard output |
s |
string |
A generic string (use quotes for strings including white spaces) |
e |
session |
The ID of an already-established Session |
d |
domains |
A list of Domains, either in hex (e.g., 0xffff) or string form (eg., 3,5,14) |
c |
capabilities |
A list of Capabilities either in hex (e.g., 0xffffffffffffffff) or string (e.g., sign-pkcs,sign-pss,get-log-entries) form |
a |
algorithm |
An algorithm in string form (e.g., eccp256) |
t |
type |
An Object Type in string form (e.g., Asymmetric) |
o |
option |
A device-global option in string form (e.g., force-audit) |
I |
format |
A format specifier in string form (e.g., base64) |
Different commands have different default formats. These can be listed by invoking help on a specific command. For example, the help sign will contain the following lines:
pss Sign data using RSASSA-PSS (default input format: binary)
e:session,w:key_id,a:algorithm,i:data=-,F:out=-
As it can be seen, the input format is binary. Additionally, arguments to a command that have =- after their type and name (like i:data and F:out in the example above), use the standard input or standard output by default for reading data.
Different levels of debug output can be enabled by using the -v flag in command-line mode, or by issuing the debug LEVEL command in interactive mode, where LEVEL is one of all, crypto, error, info, intermediate, none or raw.