128 lines
3.2 KiB
Text
128 lines
3.2 KiB
Text
nvme-tls-key(1)
|
|
===============
|
|
|
|
NAME
|
|
----
|
|
nvme-tls-key - Manage NVMe TLS PSKs
|
|
|
|
SYNOPSIS
|
|
--------
|
|
[verse]
|
|
'nvme tls-key' [--keyring=<name> | -k <name>]
|
|
[--keytype=<type> | -t <type>]
|
|
[--keyfile=<file> | -f <file>]
|
|
[--import | -i] [--export | -e]
|
|
[--revoke=<description>| -r <description>]
|
|
[--verbose | -v]
|
|
|
|
DESCRIPTION
|
|
-----------
|
|
Import, export or remove NVMe TLS pre-shared keys (PSKs) from the system
|
|
keystore. When the '--export' option is given, all NVMe TLS PSKs are
|
|
exported in the form
|
|
|
|
<descriptions> <psk>
|
|
|
|
where '<description>' is the key description from the
|
|
exported key and '<psk>' is the key data in PSK interchange
|
|
format 'NVMeTLSkey-1:01:<base64 encoded data>:'.
|
|
Each key is exported in a single line.
|
|
When the '--import' option is given key data is read in the
|
|
same format and imported into the kernel keystore.
|
|
|
|
OPTIONS
|
|
-------
|
|
-k <name>::
|
|
--keyring=<name>::
|
|
Name of the keyring into which the 'retained' TLS key should be
|
|
stored. Default is '.nvme'.
|
|
|
|
-t <type>::
|
|
--keytype=<type>::
|
|
Type of the key for resulting TLS key.
|
|
Default is 'psk'.
|
|
|
|
-f <file>::
|
|
--keyfile=<file>::
|
|
File to read the keys from or write the keys to instead of
|
|
stdin / stdout.
|
|
|
|
-i::
|
|
--import::
|
|
Read the key data from the file specified by '--keyfile'
|
|
or stdin if not present.
|
|
|
|
-e::
|
|
--export::
|
|
Write the key data to the file specified by '--keyfile'
|
|
or stdout if not present.
|
|
|
|
-r <description>::
|
|
--revoke=<description>::
|
|
Revoke a key from a keyring.
|
|
|
|
-v::
|
|
--verbose::
|
|
Increase the information detail in the output.
|
|
|
|
EXAMPLES
|
|
--------
|
|
|
|
* Create a new TLS key and insert it directly into the .nvme keyring:
|
|
+
|
|
------------
|
|
# nvme gen-tls-key -i -n hostnqn0 -c subsys0
|
|
NVMeTLSkey-1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
|
|
Inserted TLS key 26b3260e
|
|
------------
|
|
|
|
* Export previously created key from the kernel keyring and store it into a file
|
|
+
|
|
------------
|
|
# nvme tls-key -e -f nvme-tls-keys.txt
|
|
------------
|
|
|
|
* Export/list all keys from the .nvme keyring using nvme and keyctl
|
|
+
|
|
------------
|
|
# nvme tls-key --export
|
|
NVMe0R01 hostnqn0 subsys0 NVMeTLSkey-1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
|
|
|
|
# keyctl show
|
|
Session Keyring
|
|
573249525 --alswrv 0 0 keyring: _ses
|
|
353599402 --alswrv 0 65534 \_ keyring: _uid.0
|
|
475911922 ---lswrv 0 0 \_ keyring: .nvme
|
|
649274894 --als-rv 0 0 \_ psk: NVMe0R01 hostnqn0 subsys0
|
|
------------
|
|
|
|
* Revoke a key using the description and verifying with
|
|
keyctl the operation
|
|
+
|
|
------------
|
|
# nvme tls-key --revoke="NVMe0R01 hostnqn0 subsys0"
|
|
|
|
# keyctl show
|
|
Session Keyring
|
|
573249525 --alswrv 0 0 keyring: _ses
|
|
353599402 --alswrv 0 65534 \_ keyring: _uid.0
|
|
475911922 ---lswrv 0 0 \_ keyring: .nvme
|
|
649274894: key inaccessible (Key has been revoked)
|
|
------------
|
|
|
|
* Import back previously generated key from file and verify with keyctl
|
|
+
|
|
------------
|
|
# nvme tls-key --import -f nvme-tls-keys.txt
|
|
|
|
# keyctl show
|
|
Session Keyring
|
|
573249525 --alswrv 0 0 keyring: _ses
|
|
353599402 --alswrv 0 65534 \_ keyring: _uid.0
|
|
475911922 ---lswrv 0 0 \_ keyring: .nvme
|
|
734343968 --als-rv 0 0 \_ psk: NVMe0R01 hostnqn0 subsys0
|
|
------------
|
|
|
|
NVME
|
|
----
|
|
Part of the nvme-user suite
|