1P11SAK(1) openCryptoki P11SAK(1)
2
3
4
6 p11sak - generate and list token keys in an openCryptoki token reposi‐
7 tory.
8
10 p11sak command [ARGS] [OPTIONS]
11
12 p11sak --help|-h
13
14
16 p11sak can be used to generate, list and delete the token keys in an
17 openCryptoki token repository. The utility provides a flexible key
18 management tool in openCryptoki to list and generate symmetric (DES;
19 3DES, AES) and asymetric (RSA, EC) keys. This tool is especially capa‐
20 ble of a well defined listing of keys with their PKCS #11 attributes.
21
23 The p11sak tool can operate in three modes: when command generate-key
24 is specified, it operates in the mode to generate a token key in the
25 openCryptoki token repository. If command list-key is given, it lists
26 the keys specified in the arguments. If command remove-key is given,
27 it removes the keys specified in the arguments.
28
29 generate-key
30 Use the generate-key|gen-key|gen command and key argument to generate a
31 token key with the respective [ARGS] and [OPTIONS]. The --help|-h op‐
32 tion will show the arguments and options available.
33
34 list-key
35 Use the list-key|ls-key|ls command and key argument to list token keys
36 given the respective [ARGS] and [OPTIONS]. The --help|-h option will
37 show the arguments and options available.
38
39 list-key
40 Use the remove-key|rm-key|rm command and key argument to delete token
41 keys given the respective [ARGS] and [OPTIONS]. The --help|-h option
42 will show the arguments and options available.
43
44 Generating DES/3DES keys
45 p11sak generate-key|gen-key|gen des|3des --slot SLOTID --pin PIN --la‐
46 bel LABEL --attr [MRLSEDGVWUAXNT] --help | -h
47
48 Use the generate-key command with the des|3des key argument to generate
49 a DES or 3DES key. The --slot SLOTID and --pin PIN options are required
50 to set the token to SLOTID and the token PIN. The --label option allows
51 the user to set the LABEL attribute of the key and --attr
52 [MRLSEDGVWUAXNT] can be used to set the binary attributes of the key
53 (see below for detailed description of the attributes).
54
55 Generating AES keys
56 p11sak generate-key|gen-key|gen aes 128|192|256 --slot SLOTID --pin PIN
57 --label LABEL --attr [MRLSEDGVWUAXNT] --help | -h
58
59 Use the generate-key aes 128|192|256 command and key argument to gener‐
60 ate a AES key with 128, 192 or 256 bit length, respectively. The --slot
61 SLOTID and --pin PIN options are required to set the token to SLOTID
62 and the token PIN. The --label option allows the user to set the LABEL
63 attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
64 binary attributes of the key (see below for detailed description of the
65 attributes).
66
67 Generating RSA keys
68 p11sak generate-key|gen-key|gen rsa 1024|2048|4096 --slot SLOTID --pin
69 PIN --label LABEL --exponent EXP --attr [MRLSEDGVWUAXNT] --help | -h
70
71 Use the generate-key rsa 1024|2048|4096 command and key argument to
72 generate a 1024, 2048 or 4096 bit RSA key, respectively. The --slot
73 SLOTID and --pin PIN options are required to set the token to SLOTID
74 and the token PIN. The --label option allows the user to set the LABEL
75 attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
76 binary attributes of the key (see below for detailed description of the
77 attributes). Furthermore, the --exponent EXP options allows the user to
78 specify the exponent used for generating the RSA key. The default is
79 set to 65537 according to the PKCS #11 standard.
80
81 Generating EC keys
82 p11sak generate-key|gen-key|gen ec CURVE --slot SLOTID --pin PIN --la‐
83 bel LABEL --attr [MRLSEDGVWUAXNT] --help | -h
84
85 Use the generate-key ec CURVE command and key argument to generate an
86 EC key, where CURVE specifies the eliptic curve used to create the EC
87 key. The following arguments can be used for respective curves:
88 prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 |
89 brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
90 brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
91 brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
92 brainpoolP512r1 | brainpoolP512t1
93
94 Note: not all curves will be supported by all tokens and key generation
95 will fail when the specified CURVE is not supported. The --slot SLOTID
96 and --pin PIN options are required to set the token to SLOTID and the
97 token PIN. The --label option allows the user to set the LABEL attri‐
98 bute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the bi‐
99 nary attributes of the key (see below for detailed description of the
100 attributes).
101
102 Listing symmetric and asymmetric keys
103 p11sak list-key|ls-key|ls des|3des|aes|rsa|ec|public|private|secret
104 --slot SLOTID --pin PIN --long | -l --help | -h
105
106 Use the list-key | ls-key | ls command and key argument to list DES,
107 3DES, AES, RSA or EC keys, respectively. Public, private or secret keys
108 can also be listed irrespective of key type.
109
110 Deleting symmetric and asymmetric keys
111 p11sak remove-key|rm-key|rm des|3des|aes|rsa|ec --slot SLOTID --pin PIN
112 --label LABEL --force | -f --help | -h
113
114 Use the remove-key | rm-key | rm command and key argument to delete
115 DES, 3DES, AES, RSA or EC keys, respectively. All specified cipher keys
116 will be promted to be deleted unless a specific key with the --label
117 LABEL argument is selected. The user will be promted to confirm the
118 deletion of the key. To suppress the promt, use the --force | -f op‐
119 tion.
120
122 des | 3des | aes | rsa | ec | public | private | secret
123 selects the respective symmetric or asymetric key to be generated or
124 listed. The public|private|secret argument can only be used with the
125 list-key command to list either public, private or secret keys.
126
127 128|192|256
128 the aes argument has to be followed by either 128, 192 or 256 to set
129 the respective key bit length of the AES key.
130
131 1024|2048|4096
132 the rsa argument has to be followed by either 1024, 2048 or 4096 to set
133 the respective key bit length of the RSA key.
134
135 prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 |
136 brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
137 brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
138 brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
139 brainpoolP512r1 | brainpoolP512t1
140 the ec argument has to be followed by either of these CURVE to select
141 the EC curve used to generate the key.
142
144 --slot SLOTID
145 sets the token to SLOTID
146
147 --pin PIN
148 sets the token PIN to PIN
149
150 --label LABEL
151 sets the key label attribute to LABEL
152
153 --exponent EXP
154 sets the RSA exponent to EXP
155
156 --attr [M R L S E D G V W U A X N T]
157 sets the binary attributes of a key.
158
159 Note: not all binary attributes are applicable to all keys and will be
160 omitted if not applicable.
161
162 The attributes are set to FALSE by default and switched to TRUE when
163 the letter that is associated with the given binary attribute is speci‐
164 fied. The following letters are associated with the respective CK_AT‐
165 TRIBUTE:
166
167 • M - CKA_MODIFIABLE
168
169 • R - CKA_DERIVE
170
171 • L - CKA_LOCAL
172
173 • S - CKA_SENSITIVE
174
175 • E - CKA_ENCRYPT
176
177 • D - CKA_DECRYPT
178
179 • G - CKA_SIGN
180
181 • V - CKA_VERIFY
182
183 • W - CKA_WRAP
184
185 • U - CKA_UNWRAP
186
187 • A - CKA_ALWAYS_SENSITIVE
188
189 • X - CKA_EXTRACTABLE
190
191 • N - CKA_NEVER_EXTRACTABLE
192
193 CKA_TOKEN and CKA_PRIVATE are set by default to TRUE. For multiple at‐
194 tributes, combine the letters in a string without white space, e. g.
195 'MLD'.
196
197 --long | -l
198 prints the list-key output in long format. If omitted, the output is in
199 a short, tabular format.
200
201 --force | -f
202 to be used with the remove-key command to suppress the promt whether
203 the user wants to delete the specified keys.
204
205 --help | -h
206 prints help for the usage of p11sak and/or the respective command.
207
2083.16.0 May 2020 P11SAK(1)