nvme-tls-key - Manage NVMe TLS PSKs
NAME SYNOPSIS DESCRIPTION OPTIONS EXAMPLES NVMENAME
nvme-tls-key − Manage NVMe TLS PSKs
SYNOPSIS
nvme
tls−key [−−keyring=<name> |
−k <name>]
[−−keytype=<type> | −t <type>]
[−−keyfile=<file> | −f <file>]
[−−import | −i] [−−export |
−e]
[−−revoke=<description>| −r
<description>]
[−−verbose | −v]
DESCRIPTION
Import, export or remove NVMe TLS pre−shared keys (PSKs) from the system keystore. When the −−export option is given, all NVMe TLS PSKs are exported in the form
<descriptions> <psk>
where <description> is the key description from the exported key and <psk> is the key data in PSK interchange format NVMeTLSkey−1:01:<base64 encoded data>:. Each key is exported in a single line. When the −−import option is given key data is read in the same format and imported into the kernel keystore.
OPTIONS
−k <name>, −−keyring=<name>
Name of the keyring into which the retained TLS key should be stored. Default is .nvme.
−t <type>, −−keytype=<type>
Type of the key for resulting TLS key. Default is psk.
−f <file>, −−keyfile=<file>
File to read the keys from or write the keys to instead of stdin / stdout.
−i, −−import
Read the key data from the file specified by −−keyfile or stdin if not present.
−e, −−export
Write the key data to the file specified by −−keyfile or stdout if not present.
−r <description>, −−revoke=<description>
Revoke a key from a keyring.
−v, −−verbose
Increase the information detail in the output.
EXAMPLES
• Create a new TLS key and insert it directly into the .nvme keyring:
# nvme
gen−tls−key −i −n hostnqn0 −c
subsys0
NVMeTLSkey−1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
Inserted TLS key 26b3260e
• Export previously created key from the kernel keyring and store it into a file
# nvme tls−key −e −f nvme−tls−keys.txt
• Export/list all keys from the .nvme keyring using nvme and keyctl
# nvme
tls−key −−export
NVMe0R01 hostnqn0 subsys0
NVMeTLSkey−1:01:/b9tVz2OXJVISnoFgrPAygyS86XYJWkAapQeULns6PMpM8wv:
# keyctl show
Session Keyring
573249525 −−alswrv 0 0 keyring: _ses
353599402 −−alswrv 0 65534 \_ keyring: _uid.0
475911922 −−−lswrv 0 0 \_ keyring: .nvme
649274894 −−als−rv 0 0 \_ psk: NVMe0R01
hostnqn0 subsys0
• Revoke a key using the description and verifying with keyctl the operation
# nvme tls−key −−revoke="NVMe0R01 hostnqn0 subsys0"
# keyctl show
Session Keyring
573249525 −−alswrv 0 0 keyring: _ses
353599402 −−alswrv 0 65534 \_ keyring: _uid.0
475911922 −−−lswrv 0 0 \_ keyring: .nvme
649274894: key inaccessible (Key has been revoked)
• Import back previously generated key from file and verify with keyctl
# nvme tls−key −−import −f nvme−tls−keys.txt
# keyctl show
Session Keyring
573249525 −−alswrv 0 0 keyring: _ses
353599402 −−alswrv 0 65534 \_ keyring: _uid.0
475911922 −−−lswrv 0 0 \_ keyring: .nvme
734343968 −−als−rv 0 0 \_ psk: NVMe0R01
hostnqn0 subsys0
NVME
Part of the nvme−user suite