Provided by: opencryptoki_3.17.0+dfsg+20220202.b40982e-0ubuntu1.2_amd64 
NAME
p11sak - generate and list token keys in an openCryptoki token repository.
SYNOPSIS
p11sak command [ARGS] [OPTIONS]
p11sak --help|-h
DESCRIPTION
p11sak can be used to generate, list and delete the token keys in an openCryptoki token repository. The
utility provides a flexible key management tool in openCryptoki to list and generate symmetric (DES;
3DES, AES) and asymetric (RSA, EC) keys. This tool is especially capable of a well defined listing of
keys with their PKCS #11 attributes.
COMMANDS
The p11sak tool can operate in three modes: when command generate-key is specified, it operates in the
mode to generate a token key in the openCryptoki token repository. If command list-key is given, it
lists the keys specified in the arguments. If command remove-key is given, it removes the keys specified
in the arguments.
generate-key
Use the generate-key|gen-key|gen command and key argument to generate a token key with the respective
[ARGS] and [OPTIONS]. The --help|-h option will show the arguments and options available.
list-key
Use the list-key|ls-key|ls command and key argument to list token keys given the respective [ARGS] and
[OPTIONS]. The --help|-h option will show the arguments and options available.
remove-key
Use the remove-key|rm-key|rm command and key argument to delete token keys given the respective [ARGS]
and [OPTIONS]. The --help|-h option will show the arguments and options available.
Generating DES/3DES keys
p11sak generate-key|gen-key|gen des|3des --slot SLOTID --pin PIN --label LABEL --attr [PMRLSEDGVWUAXNT]
--help | -h
Use the generate-key command with the des|3des key argument to generate a DES or 3DES key. The --slot
SLOTID and --pin PIN options are required to set the token to SLOTID and the token PIN. The --label
option allows the user to set the LABEL attribute of the key and --attr [PMRLSEDGVWUAXNT] can be used to
set the binary attributes of the key (see below for detailed description of the attributes).
Generating AES keys
p11sak generate-key|gen-key|gen aes 128|192|256 --slot SLOTID --pin PIN --label LABEL --attr
[PMRLSEDGVWUAXNT] --help | -h
Use the generate-key aes 128|192|256 command and key argument to generate a AES key with 128, 192 or 256
bit length, respectively. The --slot SLOTID and --pin PIN options are required to set the token to SLOTID
and the token PIN. The --label option allows the user to set the LABEL attribute of the key and --attr
[PMRLSEDGVWUAXNT] can be used to set the binary attributes of the key (see below for detailed description
of the attributes).
Generating RSA keys
p11sak generate-key|gen-key|gen rsa 1024|2048|4096 --slot SLOTID --pin PIN --label LABEL --exponent EXP
--attr [PMRLSEDGVWUAXNT] --help | -h
Use the generate-key rsa 1024|2048|4096 command and key argument to generate a 1024, 2048 or 4096 bit RSA
key, respectively. The --slot SLOTID and --pin PIN options are required to set the token to SLOTID and
the token PIN. The --label option allows the user to set the LABEL attribute of the key and --attr
[PMRLSEDGVWUAXNT] can be used to set the binary attributes of the key (see below for detailed description
of the attributes). Furthermore, the --exponent EXP options allows the user to specify the exponent used
for generating the RSA key. The default is set to 65537 according to the PKCS #11 standard.
Generating EC keys
p11sak generate-key|gen-key|gen ec CURVE --slot SLOTID --pin PIN --label LABEL --attr [PMRLSEDGVWUAXNT]
--help | -h
Use the generate-key ec CURVE command and key argument to generate an EC key, where CURVE specifies the
eliptic curve used to create the EC key. The following arguments can be used for respective curves:
prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1 |
brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1
| brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 |
brainpoolP512t1
Note: not all curves will be supported by all tokens and key generation will fail when the specified
CURVE is not supported. The --slot SLOTID and --pin PIN options are required to set the token to SLOTID
and the token PIN. The --label option allows the user to set the LABEL attribute of the key and --attr
[PMRLSEDGVWUAXNT] can be used to set the binary attributes of the key (see below for detailed description
of the attributes).
Listing symmetric and asymmetric keys
p11sak list-key|ls-key|ls des|3des|aes|rsa|ec|public|private|secret|all --slot SLOTID --pin PIN --long |
-l --help | -h
Use the list-key | ls-key | ls command and key argument to list DES, 3DES, AES, RSA or EC keys,
respectively. Public, private, secret, or all keys can also be listed irrespective of key type.
Deleting symmetric and asymmetric keys
p11sak remove-key|rm-key|rm des|3des|aes|rsa|ec --slot SLOTID --pin PIN --label LABEL --force | -f --help
| -h
Use the remove-key | rm-key | rm command and key argument to delete DES, 3DES, AES, RSA, or EC keys,
respectively. All specified cipher keys will be promted to be deleted unless a specific key with the
--label LABEL argument is selected. The user will be promted to confirm the deletion of the key. To
suppress the promt, use the --force | -f option.
ARGS
des | 3des | aes | rsa | ec | public | private | secret | all
selects the respective symmetric or asymetric key to be generated or listed. The
public|private|secret|all argument can only be used with the list-key command to list either public,
private, secret, or all keys.
128|192|256
the aes argument has to be followed by either 128, 192 or 256 to set the respective key bit length of the
AES key.
1024|2048|4096
the rsa argument has to be followed by either 1024, 2048 or 4096 to set the respective key bit length of
the RSA key.
prime256v1 | prime192 | secp224 | secp384r1 | secp521r1 | secp265k1 | brainpoolP160r1 | brainpoolP160t1 |
brainpoolP192r1 | brainpoolP192t1 | brainpoolP224r1 | brainpoolP224t1 | brainpoolP256r1 | brainpoolP256t1
| brainpoolP320r1 | brainpoolP320t1 | brainpoolP384r1 | brainpoolP384t1 | brainpoolP512r1 |
brainpoolP512t1
the ec argument has to be followed by either of these CURVE to select the EC curve used to generate the
key.
OPTIONS
--slot SLOTID
sets the token to SLOTID
--pin PIN
sets the token PIN to PIN
--label LABEL
sets the key label attribute to LABEL
--exponent EXP
sets the RSA exponent to EXP
--attr [P M R L S E D G V W U A X N T]
sets the binary attributes of a key.
Note: not all binary attributes are applicable to all keys and will be omitted if not applicable.
The attributes are set to FALSE by default and switched to TRUE when the letter that is associated with
the given binary attribute is specified. The following letters are associated with the respective
CK_ATTRIBUTE:
• P - CKA_PRIVATE
• M - CKA_MODIFIABLE
• R - CKA_DERIVE
• L - CKA_LOCAL
• S - CKA_SENSITIVE
• E - CKA_ENCRYPT
• D - CKA_DECRYPT
• G - CKA_SIGN
• V - CKA_VERIFY
• W - CKA_WRAP
• U - CKA_UNWRAP
• A - CKA_ALWAYS_SENSITIVE
• X - CKA_EXTRACTABLE
• N - CKA_NEVER_EXTRACTABLE
• * - if in p11sak_defined_attrs.conf additional attributes are defined.
CKA_TOKEN and CKA_PRIVATE are set by default to TRUE. For multiple attributes, combine the letters in a
string without white space, e. g. 'MlD'. An uppercase letter means true, while an lowercase letter
equals false. From Example above: CKA_MODIFIABLE=true, CKA_LOCAL=false, CKA_DECRYPT=true
For asymmetric keys a user can set different custom attributes for the public and the private key. The
separator is the symbol ":". The defined attributes in front of the separator are set for the public key
and the attributes defined after the separator are set for the private key. When the separator is not in
the string, the defined attribute set is used for public and private key. To set a configuration for only
the public key, the string has to end with the separator and respectively, to use a configuration for the
private key only, the string has to start with the separator.
--long | -l
prints the list-key output in long format. If omitted, the output is in a short, tabular format.
--force | -f
to be used with the remove-key command to suppress the promt whether the user wants to delete the
specified keys.
--help | -h
prints help for the usage of p11sak and/or the respective command.
FILES
/usr/local/etc/opencryptoki/p11sak_defined_attrs.conf
In the output config file a user can define additional attributes, which are not mentioned in the PKCS#11
standard. A custom filepath can be set with an environment variable.
ENVIRONMENT VARIABLES
P11SAK_DEFAULT_CONF_FILE
A custom path for p11sak_defined_attrs.conf can be set with the environment variable
P11SAK_DEFAULT_CONF_FILE. If none is set p11sak will first look for the file in the user directory,
followed by the standard installation path.
EXIT STATUS
p11sak returns various error codes on fail:
CKR_ARGUMENTS_BAD (0x00000007):
The p11sak_defined_attrs.conf is not found.
CKR_DATA_INVALID (0x00000020):
The p11sak_defined_attrs.conf cannot be parsed or syntax is invalid.
CKR_ATTRIBUTE_TYPE_INVALID (0x00000012):
A given attribute type cannot be set for this key.
SEE ALSO
p11sak_defined_attrs.conf(5)
3.17.0 May 2020 P11SAK(1)