blob: e1819c74b264b0419299d539e020ce40e120ef28 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
nvme-tls-key(1)
===============
NAME
----
nvme-tls-key - Manage NVMe TLS PSKs
SYNOPSIS
--------
[verse]
'nvme tls-key' [--keyring=<name> | -k <name>]
[--keytype=<type> | -t <type>]
[--keyfile=<file> | -f <file>]
[--import | -i] [--export | -e]
[--revoke=<description>| -r <description>]
[--verbose | -v]
DESCRIPTION
-----------
Import, export or remove NVMe TLS pre-shared keys (PSKs) from the system
keystore. When the '--export' option is given, all NVMe TLS PSKs are
exported in the form
<descriptions> <psk>
where '<description>' is the key description from the
exported key and '<psk>' is the key data in PSK interchange
format 'NVMeTLSkey-1:01:<base64 encoded data>:'.
Each key is exported in a single line.
When the '--import' option is given key data is read in the
same format and imported into the kernel keystore.
OPTIONS
-------
-k <name>::
--keyring=<name>::
Name of the keyring into which the 'retained' TLS key should be
stored. Default is '.nvme'.
-t <type>::
--keytype=<type>::
Type of the key for resulting TLS key.
Default is 'psk'.
-f <file>::
--keyfile=<file>::
File to read the keys from or write the keys to instead of
stdin / stdout.
-i::
--import::
Read the key data from the file specified by '--keyfile'
or stdin if not present.
-e::
--export::
Write the key data to the file specified by '--keyfile'
or stdout if not present.
-r <description>::
--revoke=<description>::
Revoke a key from a keyring.
-v::
--verbose::
Increase the information detail in the output.
EXAMPLES
--------
* Create a new TLS key and insert it directly into the .nvme keyring:
+
------------
# nvme gen-tls-key -i -n hostnqn0 -c subsys0
NVMeTLSkey-1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
Inserted TLS key 26b3260e
------------
* Export previously created key from the kernel keyring and store it into a file
+
------------
# nvme tls-key -e -f nvme-tls-keys.txt
------------
* Export/list all keys from the .nvme keyring using nvme and keyctl
+
------------
# nvme tls-key --export
NVMe0R01 hostnqn0 subsys0 NVMeTLSkey-1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
# keyctl show
Session Keyring
573249525 --alswrv 0 0 keyring: _ses
353599402 --alswrv 0 65534 \_ keyring: _uid.0
475911922 ---lswrv 0 0 \_ keyring: .nvme
649274894 --als-rv 0 0 \_ psk: NVMe0R01 hostnqn0 subsys0
------------
* Revoke a key using the description and verifying with
keyctl the operation
+
------------
# nvme tls-key --revoke="NVMe0R01 hostnqn0 subsys0"
# keyctl show
Session Keyring
573249525 --alswrv 0 0 keyring: _ses
353599402 --alswrv 0 65534 \_ keyring: _uid.0
475911922 ---lswrv 0 0 \_ keyring: .nvme
649274894: key inaccessible (Key has been revoked)
------------
* Import back previously generated key from file and verify with keyctl
+
------------
# nvme tls-key --import -f nvme-tls-keys.txt
# keyctl show
Session Keyring
573249525 --alswrv 0 0 keyring: _ses
353599402 --alswrv 0 65534 \_ keyring: _uid.0
475911922 ---lswrv 0 0 \_ keyring: .nvme
734343968 --als-rv 0 0 \_ psk: NVMe0R01 hostnqn0 subsys0
------------
NVME
----
Part of the nvme-user suite
|
