summaryrefslogtreecommitdiffstats
path: root/Documentation/nvme-gen-tls-key.txt
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/nvme-gen-tls-key.txt')
-rw-r--r--Documentation/nvme-gen-tls-key.txt99
1 files changed, 99 insertions, 0 deletions
diff --git a/Documentation/nvme-gen-tls-key.txt b/Documentation/nvme-gen-tls-key.txt
new file mode 100644
index 0000000..772c7bc
--- /dev/null
+++ b/Documentation/nvme-gen-tls-key.txt
@@ -0,0 +1,99 @@
+nvme-gen-tls-key(1)
+======================
+
+NAME
+----
+nvme-gen-tls-key - Generate a NVMe TLS PSK
+
+SYNOPSIS
+--------
+[verse]
+'nvme gen-tls-key' [--keyring=<name> | -k <name>]
+ [--keytype=<type> | -t <type>]
+ [--hostnqn=<nqn> | -n <nqn>]
+ [--subsysnqn=<nqn> | -c <nqn>]
+ [--hmac=<hmac-id> | -h <hmac-id>]
+ [--identity=<id-vers> | -I <id-vers>]
+ [--secret=<secret> | -s <secret>]
+ [--insert | -i]
+ [--output-format=<fmt> | -o <fmt>] [--verbose | -v]
+
+DESCRIPTION
+-----------
+Generate a base64-encoded NVMe TLS pre-shared key (PSK).
+The resulting key is either printed in the PSK interchange format
+'NVMeTLSkey-1:01:<base64 encoded data>:' or inserted as a
+'retained' key into the specified keyring if the '--insert' option
+is given.
+When the PSK should be inserted into the keyring a 'retained' key
+is derived from the secret key material. The resulting 'retained'
+key is stored with the identity
+'NVMe0R0<hmac> <host NQN> <subsystem NQN>'
+(for identity version '0') or
+'NVMe1R0<hmac> <host NQN> <subsystem NQN> <PSK hash>'
+(for identity version '1') in the keyring.
+The 'retained' key is derived from the secret key material,
+the specified subsystem NQN, and the host NQN.
+Once the 'retained' key is stored in the keyring the original
+secret key material cannot be retrieved.
+
+OPTIONS
+-------
+-k <name>::
+--keyring=<name>::
+ Name of the keyring into which the 'retained' TLS key should be
+ stored. Default is '.nvme'.
+
+-t <type>::
+--keytype=<type>::
+ Type of the key for resulting TLS key.
+ Default is 'psk'.
+
+-n <nqn>::
+--hostnqn=<nqn>::
+ Host NVMe Qualified Name (NQN) to be used to derive the
+ 'retained' TLS key
+
+-c <nqn>::
+--subsysnqn=<nqn>::
+ Subsystem NVMe Qualified Name (NQN) to be used to derive the
+ 'retained' TLS key
+
+-h <hmac-id>::
+--hmac=<hmac-id>::
+ Select a HMAC algorithm to use. Possible values are:
+ 1 - SHA-256 (default)
+ 2 - SHA-384
+
+-I <vers>::
+--identity=<id-vers>::
+ Select the TLS identity to use. Possible values are:
+ 0 - Original NVMe TLS 1.0c identity
+ 1 - NVMe TLS 2.0 (TP8018) identity
+
+-s <secret>::
+--secret=<secret>::
+ Secret value (in hexadecimal) to be used for the key. If none are
+ provided a random value is used.
+
+-i::
+--insert::
+ Insert the resulting TLS key into the keyring without printing out
+ the key in PSK interchange format.
+
+-o <fmt>::
+--output-format=<fmt>::
+ Set the reporting format to 'normal', 'json' or 'binary'. Only one
+ output format can be used at a time.
+
+-v::
+--verbose::
+ Increase the information detail in the output.
+
+EXAMPLES
+--------
+No Examples
+
+NVME
+----
+Part of the nvme-user suite