105 lines
2.7 KiB
Text
105 lines
2.7 KiB
Text
nvme-gen-tls-key(1)
|
|
======================
|
|
|
|
NAME
|
|
----
|
|
nvme-gen-tls-key - Generate a NVMe TLS PSK
|
|
|
|
SYNOPSIS
|
|
--------
|
|
[verse]
|
|
'nvme gen-tls-key' [--keyring=<name> | -k <name>]
|
|
[--keytype=<type> | -t <type>]
|
|
[--hostnqn=<nqn> | -n <nqn>]
|
|
[--subsysnqn=<nqn> | -c <nqn>]
|
|
[--hmac=<hmac-id> | -h <hmac-id>]
|
|
[--identity=<id-vers> | -I <id-vers>]
|
|
[--secret=<secret> | -s <secret>]
|
|
[--insert | -i]
|
|
[--keyfile=<keyfile> | -f <keyfile>]
|
|
[--output-format=<fmt> | -o <fmt>] [--verbose | -v]
|
|
|
|
DESCRIPTION
|
|
-----------
|
|
Generate a base64-encoded NVMe TLS pre-shared key (PSK).
|
|
The resulting key is either printed in the PSK interchange format
|
|
'NVMeTLSkey-1:01:<base64 encoded data>:' or inserted as a
|
|
'retained' key into the specified keyring if the '--insert' option
|
|
is given.
|
|
When the PSK should be inserted into the keyring a 'retained' key
|
|
is derived from the secret key material. The resulting 'retained'
|
|
key is stored with the identity
|
|
'NVMe0R0<hmac> <host NQN> <subsystem NQN>'
|
|
(for identity version '0') or
|
|
'NVMe1R0<hmac> <host NQN> <subsystem NQN> <PSK hash>'
|
|
(for identity version '1') in the keyring.
|
|
The 'retained' key is derived from the secret key material,
|
|
the specified subsystem NQN, and the host NQN.
|
|
Once the 'retained' key is stored in the keyring the original
|
|
secret key material cannot be retrieved.
|
|
|
|
OPTIONS
|
|
-------
|
|
-k <name>::
|
|
--keyring=<name>::
|
|
Name of the keyring into which the 'retained' TLS key should be
|
|
stored. Default is '.nvme'.
|
|
|
|
-t <type>::
|
|
--keytype=<type>::
|
|
Type of the key for resulting TLS key.
|
|
Default is 'psk'.
|
|
|
|
-n <nqn>::
|
|
--hostnqn=<nqn>::
|
|
Host NVMe Qualified Name (NQN) to be used to derive the
|
|
'retained' TLS key
|
|
|
|
-c <nqn>::
|
|
--subsysnqn=<nqn>::
|
|
Subsystem NVMe Qualified Name (NQN) to be used to derive the
|
|
'retained' TLS key
|
|
|
|
-h <hmac-id>::
|
|
--hmac=<hmac-id>::
|
|
Select a HMAC algorithm to use. Possible values are:
|
|
1 - SHA-256 (default)
|
|
2 - SHA-384
|
|
|
|
-I <vers>::
|
|
--identity=<id-vers>::
|
|
Select the TLS identity to use. Possible values are:
|
|
0 - Original NVMe TLS 1.0c identity
|
|
1 - NVMe TLS 2.0 (TP8018) identity
|
|
|
|
-s <secret>::
|
|
--secret=<secret>::
|
|
Secret value (in hexadecimal) to be used for the key. If none are
|
|
provided a random value is used.
|
|
|
|
-i::
|
|
--insert::
|
|
Insert the resulting TLS key into the keyring without printing out
|
|
the key in PSK interchange format.
|
|
|
|
-f <keyfile>
|
|
--keyfile=<keyfile>
|
|
Append the resulting TLS key to keyfile. This command line option is
|
|
depending on --insert.
|
|
|
|
-o <fmt>::
|
|
--output-format=<fmt>::
|
|
Set the reporting format to 'normal', 'json' or 'binary'. Only one
|
|
output format can be used at a time.
|
|
|
|
-v::
|
|
--verbose::
|
|
Increase the information detail in the output.
|
|
|
|
EXAMPLES
|
|
--------
|
|
No Examples
|
|
|
|
NVME
|
|
----
|
|
Part of the nvme-user suite
|