1P11SAK(1)                        openCryptoki                        P11SAK(1)
2
3
4

NAME

6       p11sak  - generate and list token keys in an openCryptoki token reposi‐
7       tory.
8

SYNOPSIS

10       p11sak command [ARGS] [OPTIONS]
11
12       p11sak --help|-h
13
14

DESCRIPTION

16       p11sak can be used to generate, list and delete the token  keys  in  an
17       openCryptoki  token  repository.   The  utility provides a flexible key
18       management tool in openCryptoki to list and  generate  symmetric  (DES;
19       3DES, AES) and asymetric (RSA, EC) keys.  This tool is especially capa‐
20       ble of a well defined listing of keys with their PKCS #11 attributes.
21

COMMANDS

23       The p11sak tool can operate in three modes: when  command  generate-key
24       is  specified,  it  operates in the mode to generate a token key in the
25       openCryptoki token repository.  If command list-key is given, it  lists
26       the  keys  specified in the arguments.  If command remove-key is given,
27       it removes the keys specified in the arguments.
28
29   generate-key
30       Use the generate-key|gen-key|gen command and key argument to generate a
31       token  key with the respective [ARGS] and [OPTIONS].  The --help|-h op‐
32       tion will show the arguments and options available.
33
34   list-key
35       Use the list-key|ls-key|ls command and key argument to list token  keys
36       given  the  respective [ARGS] and [OPTIONS].  The --help|-h option will
37       show the arguments and options available.
38
39   list-key
40       Use the remove-key|rm-key|rm command and key argument to  delete  token
41       keys  given  the respective [ARGS] and [OPTIONS].  The --help|-h option
42       will show the arguments and options available.
43
44   Generating DES/3DES keys
45       p11sak generate-key|gen-key|gen des|3des --slot SLOTID --pin PIN  --la‐
46       bel LABEL --attr [MRLSEDGVWUAXNT] --help | -h
47
48       Use the generate-key command with the des|3des key argument to generate
49       a DES or 3DES key. The --slot SLOTID and --pin PIN options are required
50       to set the token to SLOTID and the token PIN. The --label option allows
51       the  user  to  set  the  LABEL  attribute  of  the   key   and   --attr
52       [MRLSEDGVWUAXNT]  can  be  used to set the binary attributes of the key
53       (see below for detailed description of the attributes).
54
55   Generating AES keys
56       p11sak generate-key|gen-key|gen aes 128|192|256 --slot SLOTID --pin PIN
57       --label LABEL --attr [MRLSEDGVWUAXNT] --help | -h
58
59       Use the generate-key aes 128|192|256 command and key argument to gener‐
60       ate a AES key with 128, 192 or 256 bit length, respectively. The --slot
61       SLOTID  and  --pin  PIN options are required to set the token to SLOTID
62       and the token PIN. The --label option allows the user to set the  LABEL
63       attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
64       binary attributes of the key (see below for detailed description of the
65       attributes).
66
67   Generating RSA keys
68       p11sak  generate-key|gen-key|gen rsa 1024|2048|4096 --slot SLOTID --pin
69       PIN --label LABEL --exponent EXP --attr [MRLSEDGVWUAXNT] --help | -h
70
71       Use the generate-key rsa 1024|2048|4096 command  and  key  argument  to
72       generate  a  1024,  2048  or 4096 bit RSA key, respectively. The --slot
73       SLOTID and --pin PIN options are required to set the  token  to  SLOTID
74       and  the token PIN. The --label option allows the user to set the LABEL
75       attribute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the
76       binary attributes of the key (see below for detailed description of the
77       attributes). Furthermore, the --exponent EXP options allows the user to
78       specify  the  exponent  used for generating the RSA key. The default is
79       set to 65537 according to the PKCS #11 standard.
80
81   Generating EC keys
82       p11sak generate-key|gen-key|gen ec CURVE --slot SLOTID --pin PIN  --la‐
83       bel LABEL --attr [MRLSEDGVWUAXNT] --help | -h
84
85       Use  the  generate-key ec CURVE command and key argument to generate an
86       EC key, where CURVE specifies the eliptic curve used to create  the  EC
87       key.  The  following  arguments  can  be  used  for  respective curves:
88       prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 |  secp265k1  |
89       brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
90       brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
91       brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
92       brainpoolP512r1 | brainpoolP512t1
93
94       Note: not all curves will be supported by all tokens and key generation
95       will  fail when the specified CURVE is not supported. The --slot SLOTID
96       and --pin PIN options are required to set the token to SLOTID  and  the
97       token  PIN.  The --label option allows the user to set the LABEL attri‐
98       bute of the key and --attr [MRLSEDGVWUAXNT] can be used to set the  bi‐
99       nary  attributes  of the key (see below for detailed description of the
100       attributes).
101
102   Listing symmetric and asymmetric keys
103       p11sak   list-key|ls-key|ls   des|3des|aes|rsa|ec|public|private|secret
104       --slot SLOTID --pin PIN --long | -l --help | -h
105
106       Use  the  list-key  | ls-key | ls command and key argument to list DES,
107       3DES, AES, RSA or EC keys, respectively. Public, private or secret keys
108       can also be listed irrespective of key type.
109
110   Deleting symmetric and asymmetric keys
111       p11sak remove-key|rm-key|rm des|3des|aes|rsa|ec --slot SLOTID --pin PIN
112       --label LABEL --force | -f --help | -h
113
114       Use the remove-key | rm-key | rm command and  key  argument  to  delete
115       DES, 3DES, AES, RSA or EC keys, respectively. All specified cipher keys
116       will be promted to be deleted unless a specific key  with  the  --label
117       LABEL  argument  is  selected.  The user will be promted to confirm the
118       deletion of the key. To suppress the promt, use the --force  |  -f  op‐
119       tion.
120

ARGS

122   des | 3des | aes | rsa | ec | public | private | secret
123       selects  the  respective  symmetric or asymetric key to be generated or
124       listed. The public|private|secret argument can only be  used  with  the
125       list-key command to list either public, private or secret keys.
126
127   128|192|256
128       the  aes  argument  has to be followed by either 128, 192 or 256 to set
129       the respective key bit length of the AES key.
130
131   1024|2048|4096
132       the rsa argument has to be followed by either 1024, 2048 or 4096 to set
133       the respective key bit length of the RSA key.
134
135   prime256v1  |  prime192  |  secp224  |  secp384r1 | secp521r1 | secp265k1 |
136       brainpoolP160r1 | brainpoolP160t1 | brainpoolP192r1 | brainpoolP192t1 |
137       brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1 |
138       brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 |
139       brainpoolP512r1 | brainpoolP512t1
140       the  ec  argument has to be followed by either of these CURVE to select
141       the EC curve used to generate the key.
142

OPTIONS

144   --slot SLOTID
145       sets the token to SLOTID
146
147   --pin PIN
148       sets the token PIN to PIN
149
150   --label LABEL
151       sets the key label attribute to LABEL
152
153   --exponent EXP
154       sets the RSA exponent to EXP
155
156   --attr [M R L S E D G V W U A X N T]
157       sets the binary attributes of a key.
158
159       Note: not all binary attributes are applicable to all keys and will  be
160       omitted if not applicable.
161
162       The  attributes  are  set to FALSE by default and switched to TRUE when
163       the letter that is associated with the given binary attribute is speci‐
164       fied.  The  following letters are associated with the respective CK_AT‐
165       TRIBUTE:
166
167M - CKA_MODIFIABLE
168
169R - CKA_DERIVE
170
171L - CKA_LOCAL
172
173S - CKA_SENSITIVE
174
175E - CKA_ENCRYPT
176
177D - CKA_DECRYPT
178
179G - CKA_SIGN
180
181V - CKA_VERIFY
182
183W - CKA_WRAP
184
185U - CKA_UNWRAP
186
187A - CKA_ALWAYS_SENSITIVE
188
189X - CKA_EXTRACTABLE
190
191N - CKA_NEVER_EXTRACTABLE
192
193       CKA_TOKEN and CKA_PRIVATE are set by default to TRUE.  For multiple at‐
194       tributes,  combine  the  letters in a string without white space, e. g.
195       'MLD'.
196
197   --long | -l
198       prints the list-key output in long format. If omitted, the output is in
199       a short, tabular format.
200
201   --force | -f
202       to  be  used  with the remove-key command to suppress the promt whether
203       the user wants to delete the specified keys.
204
205   --help | -h
206       prints help for the usage of p11sak and/or the respective command.
207
2083.16.0                             May 2020                          P11SAK(1)
Impressum