NAME

yhsm-yubikey-ksm ‐ Decrypt YubiKey OTPs using an attached YubiHSM

SYNOPSIS

yhsm-yubikey-ksm --key-handles ... [options]

DESCRIPTION

This is a small network server with a REST-like API that decodes YubiKey OTPs.

It can be used as a decryption backend (Key Storage Module) to a validation service such as the YubiCloud.

The AES keys of the YubiKeys must be present as AEAD files decryptable to the attached YubiHSM. Such AEADs can for example be created using yhsm-import-keys(1).

Note that this daemon is single threaded ‐ it will only handle a single request at once. A request timeout is therefor most important.

OPTIONS

-D, --device

device file name (default: /dev/ttyACM0)

-v, --verbose

enable verbose operation

--debug

enable debug printout, including all data sent to/from YubiHSM

-U, --serve-url base

base of URL for decrypt web service (default: /yhsm/validate?)

-S, --stats-url url

URL where some basic statistics about operations since start can be collected

--port num

port to listen on (default: 8002)

--addr addr

address to bind to (default: 127.0.0.1)

--key-handles kh, --key-handle kh

key handles to use for decoding OTPs. Examples : "1", "0xabcd".

--aead-dir dir, -B dir

base directory for AEADs (default: /var/cache/yubikey-ksm/aeads)

--reqtimeout num

number of seconds before a request times out (default: 5)

--pid-file fn

write process id of server to this file

--db-url url

read AEAD data from this database

--proxies ip, --proxy ip

log X-Forwarded-For header for requests from these IPs.

BUGS

Report python-pyhsm/yhsm-yubikey-ksm bugs in the issue tracker ⟨URL: https://github.com/Yubico/python-pyhsm/issues/ ⟩

SEE ALSO

The home page ⟨URL: https://developers.yubico.com/python-pyhsm/ ⟩

YubiHSMs can be obtained from Yubico ⟨URL: http://www.yubico.com/ ⟩.