diff options
Diffstat (limited to 'Documentation/nvme-gen-tls-key.txt')
| -rw-r--r-- | Documentation/nvme-gen-tls-key.txt | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/Documentation/nvme-gen-tls-key.txt b/Documentation/nvme-gen-tls-key.txt new file mode 100644 index 0000000..772c7bc --- /dev/null +++ b/Documentation/nvme-gen-tls-key.txt @@ -0,0 +1,99 @@ +nvme-gen-tls-key(1) +====================== + +NAME +---- +nvme-gen-tls-key - Generate a NVMe TLS PSK + +SYNOPSIS +-------- +[verse] +'nvme gen-tls-key' [--keyring=<name> | -k <name>] + [--keytype=<type> | -t <type>] + [--hostnqn=<nqn> | -n <nqn>] + [--subsysnqn=<nqn> | -c <nqn>] + [--hmac=<hmac-id> | -h <hmac-id>] + [--identity=<id-vers> | -I <id-vers>] + [--secret=<secret> | -s <secret>] + [--insert | -i] + [--output-format=<fmt> | -o <fmt>] [--verbose | -v] + +DESCRIPTION +----------- +Generate a base64-encoded NVMe TLS pre-shared key (PSK). +The resulting key is either printed in the PSK interchange format +'NVMeTLSkey-1:01:<base64 encoded data>:' or inserted as a +'retained' key into the specified keyring if the '--insert' option +is given. +When the PSK should be inserted into the keyring a 'retained' key +is derived from the secret key material. The resulting 'retained' +key is stored with the identity +'NVMe0R0<hmac> <host NQN> <subsystem NQN>' +(for identity version '0') or +'NVMe1R0<hmac> <host NQN> <subsystem NQN> <PSK hash>' +(for identity version '1') in the keyring. +The 'retained' key is derived from the secret key material, +the specified subsystem NQN, and the host NQN. +Once the 'retained' key is stored in the keyring the original +secret key material cannot be retrieved. + +OPTIONS +------- +-k <name>:: +--keyring=<name>:: + Name of the keyring into which the 'retained' TLS key should be + stored. Default is '.nvme'. + +-t <type>:: +--keytype=<type>:: + Type of the key for resulting TLS key. + Default is 'psk'. + +-n <nqn>:: +--hostnqn=<nqn>:: + Host NVMe Qualified Name (NQN) to be used to derive the + 'retained' TLS key + +-c <nqn>:: +--subsysnqn=<nqn>:: + Subsystem NVMe Qualified Name (NQN) to be used to derive the + 'retained' TLS key + +-h <hmac-id>:: +--hmac=<hmac-id>:: + Select a HMAC algorithm to use. Possible values are: + 1 - SHA-256 (default) + 2 - SHA-384 + +-I <vers>:: +--identity=<id-vers>:: + Select the TLS identity to use. Possible values are: + 0 - Original NVMe TLS 1.0c identity + 1 - NVMe TLS 2.0 (TP8018) identity + +-s <secret>:: +--secret=<secret>:: + Secret value (in hexadecimal) to be used for the key. If none are + provided a random value is used. + +-i:: +--insert:: + Insert the resulting TLS key into the keyring without printing out + the key in PSK interchange format. + +-o <fmt>:: +--output-format=<fmt>:: + Set the reporting format to 'normal', 'json' or 'binary'. Only one + output format can be used at a time. + +-v:: +--verbose:: + Increase the information detail in the output. + +EXAMPLES +-------- +No Examples + +NVME +---- +Part of the nvme-user suite |