sc-hsm-tool1OpenSCOpenSC Toolsopenscsc-hsm-toolsmart card utility for SmartCard-HSMsc-hsm-toolOPTIONS
The sc-hsm-tool utility can be used from the command line to perform
extended maintenance tasks not available via PKCS#11 or other tools in the OpenSC package.
It can be used to query the status of a SmartCard-HSM, initialize a device, generate and import
Device Key Encryption Key (DKEK) shares and to wrap and unwrap keys.
Options
,
Initialize token, removing all existing keys, certificates and files.Use to define SO-PIN for first initialization or to verify in subsequent
initializations.Use to define the initial user pin value.Use to define the maximum number of wrong user PIN presentations.Use with to enable key wrap / unwrap.filename,
filenameCreate a DKEK share encrypted under a user supplied password and saved to the file
given as parameter.Use to provide a password for encryption rather than prompting for one.filename,
filenamePrompt for user password, read and decrypt DKEK share and import into SmartCard-HSM.Use to provide a password for decryption rather than prompting for one.filename,
filenameWrap the key referenced in and save with it together with the key description
and certificate to the given file.Use to provide the user PIN on the command line.filename,
filenameRead wrapped key, description and certificate from file and import into SmartCard-HSM
under the key reference given in .Determine the key reference using the output of pkcs15-tool -D.Use to provide a user PIN on the command line.Use to remove any key, key description or certificate in the way.number-of-shares,
number-of-sharesDefine the number of DKEK shares to use for recreating the DKEK.This is an optional parameter. Using without
will disable the DKEK completely.Using with 0 shares requests the SmartCard-HSM to
generate a random DKEK. Keys wrapped with this DKEK can only be unwrapped in the
same SmartCard-HSM.After using with one or more DKEK shares, the
SmartCard-HSM will remain in the initialized state until all DKEK shares have
been imported. During this phase no new keys can be generated or imported.valueDefine SO-PIN for initialization.valueDefine user PIN for initialization, wrap or unwrap operation.valueDefine number of PIN retries for user PIN during initialization. Default is 3.valueDefine password for DKEK share encryption.Force removal of existing key, description and certificate.num,
numUse the given reader number. The default is
0, the first reader in the system.
,
Wait for a card to be inserted
,
Causes sc-hsm-tool to be more verbose.
Specify this flag several times to enable debug output in the opensc
library.ExamplesCreate a DKEK share:sc-hsm-tool --create-dkek-share dkek-share-1.pbeInitialize SmartCard-HSM to use a single DKEK sharesc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1Import DKEK sharesc-hsm-tool --import-dkek-share dkek-share-1.pbeWrap referenced key, description and certificatesc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219Unwrap key into same or in different SmartCard-HSM with the same DKEKsc-hsm-tool --unwrap-key wrap-key.bin --key-reference 10 --pin 648219 --forceSee alsoopensc-tool1