blob: 05f43475cb5cb58fde953f0c49dc8637d82a6681 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
|
'\" t
.\" Title: nvme-tls-key
.\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\" Date: 10/31/2024
.\" Manual: NVMe Manual
.\" Source: NVMe
.\" Language: English
.\"
.TH "NVME\-TLS\-KEY" "1" "10/31/2024" "NVMe" "NVMe Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
nvme-tls-key \- Manage NVMe TLS PSKs
.SH "SYNOPSIS"
.sp
.nf
\fInvme tls\-key\fR [\-\-keyring=<name> | \-k <name>]
[\-\-keytype=<type> | \-t <type>]
[\-\-keyfile=<file> | \-f <file>]
[\-\-import | \-i] [\-\-export | \-e]
[\-\-revoke=<description>| \-r <description>]
[\-\-verbose | \-v]
.fi
.SH "DESCRIPTION"
.sp
Import, export or remove NVMe TLS pre\-shared keys (PSKs) from the system keystore\&. When the \fI\-\-export\fR option is given, all NVMe TLS PSKs are exported in the form
.sp
<descriptions> <psk>
.sp
where \fI<description>\fR is the key description from the exported key and \fI<psk>\fR is the key data in PSK interchange format \fINVMeTLSkey\-1:01:<base64 encoded data>:\fR\&. Each key is exported in a single line\&. When the \fI\-\-import\fR option is given key data is read in the same format and imported into the kernel keystore\&.
.SH "OPTIONS"
.PP
\-k <name>, \-\-keyring=<name>
.RS 4
Name of the keyring into which the
\fIretained\fR
TLS key should be stored\&. Default is
\fI\&.nvme\fR\&.
.RE
.PP
\-t <type>, \-\-keytype=<type>
.RS 4
Type of the key for resulting TLS key\&. Default is
\fIpsk\fR\&.
.RE
.PP
\-f <file>, \-\-keyfile=<file>
.RS 4
File to read the keys from or write the keys to instead of stdin / stdout\&.
.RE
.PP
\-i, \-\-import
.RS 4
Read the key data from the file specified by
\fI\-\-keyfile\fR
or stdin if not present\&.
.RE
.PP
\-e, \-\-export
.RS 4
Write the key data to the file specified by
\fI\-\-keyfile\fR
or stdout if not present\&.
.RE
.PP
\-r <description>, \-\-revoke=<description>
.RS 4
Revoke a key from a keyring\&.
.RE
.PP
\-v, \-\-verbose
.RS 4
Increase the information detail in the output\&.
.RE
.SH "EXAMPLES"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Create a new TLS key and insert it directly into the \&.nvme keyring:
.sp
.if n \{\
.RS 4
.\}
.nf
# nvme gen\-tls\-key \-i \-n hostnqn0 \-c subsys0
NVMeTLSkey\-1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
Inserted TLS key 26b3260e
.fi
.if n \{\
.RE
.\}
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Export previously created key from the kernel keyring and store it into a file
.sp
.if n \{\
.RS 4
.\}
.nf
# nvme tls\-key \-e \-f nvme\-tls\-keys\&.txt
.fi
.if n \{\
.RE
.\}
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Export/list all keys from the \&.nvme keyring using nvme and keyctl
.sp
.if n \{\
.RS 4
.\}
.nf
# nvme tls\-key \-\-export
NVMe0R01 hostnqn0 subsys0 NVMeTLSkey\-1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
# keyctl show
Session Keyring
573249525 \-\-alswrv 0 0 keyring: _ses
353599402 \-\-alswrv 0 65534 \e_ keyring: _uid\&.0
475911922 \-\-\-lswrv 0 0 \e_ keyring: \&.nvme
649274894 \-\-als\-rv 0 0 \e_ psk: NVMe0R01 hostnqn0 subsys0
.fi
.if n \{\
.RE
.\}
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Revoke a key using the description and verifying with keyctl the operation
.sp
.if n \{\
.RS 4
.\}
.nf
# nvme tls\-key \-\-revoke="NVMe0R01 hostnqn0 subsys0"
# keyctl show
Session Keyring
573249525 \-\-alswrv 0 0 keyring: _ses
353599402 \-\-alswrv 0 65534 \e_ keyring: _uid\&.0
475911922 \-\-\-lswrv 0 0 \e_ keyring: \&.nvme
649274894: key inaccessible (Key has been revoked)
.fi
.if n \{\
.RE
.\}
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Import back previously generated key from file and verify with keyctl
.sp
.if n \{\
.RS 4
.\}
.nf
# nvme tls\-key \-\-import \-f nvme\-tls\-keys\&.txt
# keyctl show
Session Keyring
573249525 \-\-alswrv 0 0 keyring: _ses
353599402 \-\-alswrv 0 65534 \e_ keyring: _uid\&.0
475911922 \-\-\-lswrv 0 0 \e_ keyring: \&.nvme
734343968 \-\-als\-rv 0 0 \e_ psk: NVMe0R01 hostnqn0 subsys0
.fi
.if n \{\
.RE
.\}
.RE
.SH "NVME"
.sp
Part of the nvme\-user suite
|