blob: 44d41fd3fe698e866ca17201c1a8eaf2a69c2bdf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
.TH NITROCLI 1 2018-12-27
.SH NAME
nitrocli \- access Nitrokey devices
.SH SYNOPSIS
.B nitrocli
\fIcommand\fR
[\fIarguments\fR]
.SH DESCRIPTION
\fBnitrocli\fR provides access to Nitrokey devices.
It supports the Nitrokey Pro and the Nitrokey Storage.
It can be used to access the encrypted volume and the one-time password generator.
.SH COMMANDS
.SS General
.TP
.B nitrocli status
Print the status of the connected Nitrokey device, including the stick serial
number, SD card serial number, the firmware version and the PIN retry count.
For the Nitrokey Storage, it also includes the encryption status and the status
of the volumes.
.TP
.B nitrocli clear
Clear the passphrases cached by the other commands.
.SS Storage
.TP
\fBnitrocli storage open
Open the encrypted volume on the Nitrokey Storage.
The user PIN that is required to open the volume is queried using
\fBpinentry\fR(1) and cached by \fBgpg-agent\fR(1).
.TP
\fBnitrocli storage close
Close the encrypted volume on the Nitrokey Storage.
.SS One-time passwords
.TP
\fBnitrocli otp get \fIslot \fR[\fB-a\fR|\fB--algorithm \fIalgorithm\fR]
Generate a one-time password.
\fIslot\fR is the number of the slot to generate the password on.
\fIalgorithm\fR is the OTP algorithm to use.
Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and
\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default).
.TP
\fBnitrocli otp set \fIslot name secret \
\fR[\fB-a\fR|\fB--algorithm \fIalgorithm\fR] \
[\fB-d\fR|\fB--digits \fI digits\fR] [\fB-c\fR|\fB--counter \fIcounter\fR] \
[\fB-t\fR|\fB--time-window \fItime window\fR] [\fB--ascii\fR]
Configure a one-time password slot.
\fIslot\fR is the number of the slot to configure.
\fIname\fR is the name of the slot (may not be empty).
\fIsecret\fR is the secret value to store on that slot.
If \fB--ascii\fR is set, each character of the given secret is interpreted as
the ASCII code of one byte.
Otherwise, every two characters are interpreted as the hexadecimal value of one
byte.
\fIalgorithm\fR is the OTP algorithm to use.
Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and
\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default).
\fIdigits\fR is the number of digits the one-time password should have.
Allowed values are 6 and 8 (default: 6).
\fIcounter\fR is the initial counter if the HOTP algorithm is used (default: 0).
\fItime window\fR is the time window used with TOTP in seconds (default: 30).
.TP
\fBnitrocli otp get \fIslot \fR[\fB-a\fR|\fB--algorithm \fIalgorithm\fR]
Delete the name and the secret stored on a one-time password slot.
\fIslot\fR is the number of the slot to generate the password on.
\fIalgorithm\fR is the OTP algorithm to use.
Possible values are \fBhotp\fR for the HOTP algorithm according to RFC 4226 and
\fBtotp\fR for the TOTP algorithm according to RFC 6238 (default).
.TP
\fBnitrocli otp status \fR[\fB-a\fR|\fB--all\fR]
List all OTP slots.
If \fB--all\fR is not set, empty slots are ignored.
.SH EXAMPLE
.SS One-time passwords
Configure a one-time password slot with a hexadecimal secret representation:
$ \fBnitrocli otp set 0 test-rfc4226 3132333435363738393031323334353637383930 --algorithm hotp\fR
$ \fBnitrocli otp set 1 test-foobar 666F6F626172 --algorithm hotp\fR
.P
Configure a one-time password slot with an ASCII secret representation:
$ \fBnitrocli otp set 0 test-rfc4226 12345678901234567890 --ascii --algorithm hotp\fR
$ \fBnitrocli otp set 1 test-foobar foobar --ascii --algorithm hotp\fR
.P
Generate a one-time password:
$ \fBnitrocli otp get 0 --algorithm hotp\fR
755224
.P
Clear a one-time password slot:
$ \fBnitrocli otp clear 0 --algorithm hotp\fR
|
