.ie \n(.g .ds Aq \(aq .el .ds Aq ' .TH nethsm-key-import 1 "nethsm-key-import " .SH NAME nethsm\-key\-import \- Import a key .SH SYNOPSIS \fBnethsm key import\fR [\fB\-\-format\fR] [\fB\-k\fR|\fB\-\-key\-id\fR] [\fB\-t\fR|\fB\-\-tags\fR] [\fB\-a\fR|\fB\-\-auth\-passphrase\-file\fR] [\fB\-c\fR|\fB\-\-config\fR] [\fB\-l\fR|\fB\-\-label\fR] [\fB\-u\fR|\fB\-\-user\fR] [\fB\-h\fR|\fB\-\-help\fR] <\fIKEY_TYPE\fR> <\fIKEY_DATA\fR> [\fIKEY_MECHANISMS\fR] .SH DESCRIPTION Import a key .PP The provided key data must be provided as PKCS#8 private key in ASN.1 Distinguished Encoding Rules (DER) encoded or Privacy\-Enhanced Mail (PEM) format. The key data must match the provided key type. .PP The provided key type and list of key mechanisms have to match: * "Rsa" requires one of [RsaDecryptionRaw, RsaDecryptionPkcs1, RsaDecryptionOaepMd5, RsaDecryptionOaepSha1, RsaDecryptionOaepSha224, RsaDecryptionOaepSha256, RsaDecryptionOaepSha384, RsaDecryptionOaepSha512, RsaSignaturePkcs1, RsaSignaturePssMd5, RsaSignaturePssSha1, RsaSignaturePssSha224, RsaSignaturePssSha256, RsaSignaturePssSha384, RsaSignaturePssSha512] * "Curve25519" requires one of [EdDsaSignature] * "EcP224", "EcP256", "EcP384" and "EcP521" require one of [EcdsaSignature] * "Generic" requires at least one of [AesDecryptionCbc, AesEncryptionCbc] .PP System\-wide users in the "Administrator" role import system\-wide keys. Namespaced users in the "Administrator" role import keys in their own namespace. .PP Note: Although assigning tags to the new key is optional, it is highly recommended as not doing so means that all users in the same scope have access to it! .PP Requires authentication of a user in the "Administrator" role. .SH OPTIONS .TP \fB\-\-format\fR=\fIFORMAT\fR [default: Der] The format of key to import Keys can be imported in Distinguished Encoding Rules (DER) or Privacy\-Enhanced Mail (PEM) format. One of ["Pem", "Der"]. .RS May also be specified with the \fBNETHSM_KEY_FORMAT\fR environment variable. .RE .TP \fB\-k\fR, \fB\-\-key\-id\fR=\fIKEY_ID\fR An optional unique ID that is assigned to the imported key If none is provided a generic one is generated for the key. .RS May also be specified with the \fBNETHSM_KEY_ID\fR environment variable. .RE .TP \fB\-t\fR, \fB\-\-tags\fR=\fITAGS\fR An optional list of tags that are assigned to the imported key Tags on keys are used to grant access to those keys for users that carry the same tags. .RS May also be specified with the \fBNETHSM_KEY_TAGS\fR environment variable. .RE .TP \fB\-a\fR, \fB\-\-auth\-passphrase\-file\fR=\fIAUTH_PASSPHRASE_FILE\fR The path to a file containing a passphrase for authentication The passphrase provided in the file must be the one for the user chosen for the command. This option can be provided multiple times, which is needed for commands that require multiple roles at once. With multiple passphrase files ordering matters, as the files are assigned to the respective user provided by the "\-\-user" option. .RS May also be specified with the \fBNETHSM_AUTH_PASSPHRASE_FILE\fR environment variable. .RE .TP \fB\-c\fR, \fB\-\-config\fR=\fICONFIG\fR The path to a custom configuration file If specified, the custom configuration file is used instead of the default configuration file location. .RS May also be specified with the \fBNETHSM_CONFIG\fR environment variable. .RE .TP \fB\-l\fR, \fB\-\-label\fR=\fILABEL\fR A label uniquely identifying a device in the configuration file Must be provided if more than one device is setup in the configuration file. .RS May also be specified with the \fBNETHSM_LABEL\fR environment variable. .RE .TP \fB\-u\fR, \fB\-\-user\fR=\fIUSER\fR A user name which is used for a command Can be provided, if no user name is setup in the configuration file for a device. Must be provided, if several user names of the same target role are setup in the configuration file for a device. This option can be provided multiple times, which is needed for commands that require multiple roles at once. .RS May also be specified with the \fBNETHSM_USER\fR environment variable. .RE .TP \fB\-h\fR, \fB\-\-help\fR Print help (see a summary with \*(Aq\-h\*(Aq) .TP <\fIKEY_TYPE\fR> The type of key to import The key type must match the provided key data and chosen key mechanisms! One of ["AesDecryptionCbc", "AesEncryptionCbc", "EcdsaSignature", "EdDsaSignature", "RsaDecryptionOaepMd5", "RsaDecryptionOaepSha1", "RsaDecryptionOaepSha224", "RsaDecryptionOaepSha256", "RsaDecryptionOaepSha384", "RsaDecryptionOaepSha512", "RsaDecryptionPkcs1", "RsaDecryptionRaw", "RsaSignaturePkcs1", "RsaSignaturePssMd5", "RsaSignaturePssSha1", "RsaSignaturePssSha224", "RsaSignaturePssSha256", "RsaSignaturePssSha384", "RsaSignaturePssSha512"]. .RS May also be specified with the \fBNETHSM_KEY_TYPE\fR environment variable. .RE .TP <\fIKEY_DATA\fR> The path to a PKCS#8 private key in ASN.1 DER\-encoded format The private key data must match the chosen key type. .RS May also be specified with the \fBNETHSM_KEY_DATA\fR environment variable. .RE .TP [\fIKEY_MECHANISMS\fR] The mechanisms provided by the imported key The key mechanisms must match the chosen key type! At least one of ["AesDecryptionCbc", "AesEncryptionCbc", "EcdsaSignature", "EdDsaSignature", "RsaDecryptionOaepMd5", "RsaDecryptionOaepSha1", "RsaDecryptionOaepSha224", "RsaDecryptionOaepSha256", "RsaDecryptionOaepSha384", "RsaDecryptionOaepSha512", "RsaDecryptionPkcs1", "RsaDecryptionRaw", "RsaSignaturePkcs1", "RsaSignaturePssMd5", "RsaSignaturePssSha1", "RsaSignaturePssSha224", "RsaSignaturePssSha256", "RsaSignaturePssSha384", "RsaSignaturePssSha512"]. .RS May also be specified with the \fBNETHSM_KEY_MECHANISMS\fR environment variable. .RE