Skip to main content

Subcommands

This reference describes the syntax of the Tessera command line interface (CLI) subcommands.

To start a Tessera node using subcommands, run:

tessera [OPTIONS] [SUBCOMMAND] [SUBCOMMAND OPTIONS]

keygen

Use the keygen subcommand to generate one or more key pairs to store in files or a supported key vault.

argonconfig, keygenconfig

tessera keygen --argonconfig <FILE>

JSON file containing settings to override the default Argon2 configuration.

Legacy syntax for this option is -keygenconfig <FILE>.

configfile, config-file

tessera keygen --configfile <FILE>

Path to the node configuration file.

Provide this option when updating a configuration file with new keys. If configout and pwdout are not provided, the updated configuration file prints to the terminal.

configout

tessera keygen --configout <FILE>

Path to save the updated configuration file to. To use this option, you must supply the --configfile option.

Legacy syntax for this option is -output <FILE>.

debug

tessera keygen --debug

Prints full exception stack traces to stdout.

encryptor.ellipticCurve

tessera keygen --encryptor.ellipticCurve <STRING>

Elliptic curve to use for key generation. Defaults to secp256r1.

encryptor.nonceLength

tessera keygen --encryptor.nonceLength <INTEGER>

Nonce length to use as the initialization vector (IV) for symmetric encryption. Defaults to 24.

encryptor.sharedKeyLength

tessera keygen --encryptor.sharedKeyLength <INTEGER>

Key length to use for symmetric encryption when generating keys. Defaults to 32.

encryptor.symmetricCipher

tessera keygen --encryptor.symmetricCipher <STRING>

Symmetric cipher to use for encrypting data. Defaults to AES/GCM/NoPadding.

encryptor.type

tessera keygen --encryptor.type <STRING>

Encryption type. Possible values are EC, NACL, and CUSTOM. Defaults to NACL

keyout, filename

tessera keygen --keyout <FILE>[,<FILE>...]

Comma-separated list of key files to generate. The number of arguments determines the number of key pairs to generate. Defaults to null.

Legacy syntax for this option is -filename <FILE>[,<FILE>...].

pwdout

tessera keygen --pwdout <FILE>

Path to save updated password list to. To use this option, you must supply the --configout and --configfile options.

vault.hashicorp.approlepath

tessera keygen --vault.hashicorp.approlepath <PATH>

AppRole path for HashiCorp Vault authentication. Defaults to approle.

Legacy syntax for this option is -keygenvaultapprole <PATH>.

vault.hashicorp.secretenginepath

tessera keygen --vault.hashicorp.secretenginepath <PATH>

Path to the v2 HashiCorp Vault secret engine.

Legacy syntax for this option is -keygenvaultsecretengine <PATH>.

vault.hashicorp.tlskeystore

tessera keygen --vault.hashicorp.tlskeystore <FILE>

Path to JKS keystore for TLS communication with HashiCorp Vault.

Legacy syntax for this option is -keygenvaultkeystore <FILE>.

vault.hashicorp.tlstruststore

tessera keygen --vault.hashicorp.tlstruststore <FILE>

Path to JKS truststore for TLS communication with HashiCorp Vault.

Legacy syntax for this option is -keygenvaulttruststore <FILE>.

vault.type

tessera keygen --vault.type <STRING>

Key vault provider in which to save the generated key.

If not specified, keys are encrypted and stored on the local filesystem. Valid options are AZURE, AWS, and HASHICORP.

Legacy syntax for this option is keygenvaulttype <STRING>.

vault.url

tessera keygen --vault.url <STRING>

Key vault base URL.

Legacy syntax for this option is -keygenvaulturl <STRING>.

keyupdate, -updatepassword

Update the password or encryption options for an already locked key, or apply a new password to an unlocked key.

Legacy syntax for this subcommand is -updatepassword [COMMAND OPTIONS].

configfile, config-file

tessera keyupdate --configfile <FILE>

Path to the node's configuration file.

debug

tessera keyupdate --debug

Prints full exception stack traces to stdout.

encryptor.ellipticCurve

tessera keyupdate --encryptor.ellipticCurve <STING>

Elliptic curve to use for the updated keys. Defaults to secp256r1.

encryptor.nonceLength

tessera keyupdate --encryptor.nonceLength <INTEGER>

Nonce length to use as the initialization vector (IV) for symmetric encryption. Defaults to 24.

encryptor.sharedKeyLength

tessera keyupdate --encryptor.sharedKeyLength <INTEGER>

Key length to use for symmetric encryption when updating keys. Defaults to 32.

encryptor.symmetricCipher

tessera keyupdate --encryptor.symmetricCipher <STRING>

Symmetric cipher to use for encrypting data. Defaults to AES/GCM/NoPadding.

encryptor.type

tessera keyupdate --encryptor.type <STRING>

Encryption type. Possible values are EC, NACL, and CUSTOM. Defaults to NACL.

keys.keyData.config.data.aopts.algorithm

tessera keyupdate --keys.keyData.config.data.aopts.algorithm <STRING>

Argon2 variant to use. Defaults to i.

Valid options are i, d, and id.

keys.keyData.config.data.aopts.iterations

tessera keyupdate --keys.keyData.config.data.aopts.iterations <INTEGER>

Number of Argon2 iterations to perform. Defaults to 10.

keys.keyData.config.data.aopts.memory

tessera keyupdate --keys.keyData.config.data.aopts.memory <INTEGER>

Sets the Argon2 memory usage. Defaults to 1048576.

keys.keyData.config.data.aopts.parallelism

tessera keyupdate --keys.keyData.config.data.aopts.parallelism <INTEGER>

Sets the number of parallel Argon2 threads. Defaults to 4.

keys.keyData.privateKeyPath

tessera keyupdate --keys.keyData.privateKeyPath <PATH>

Path to the private key file to update. This option is required.

keys.password

tessera keyupdate --keys.passwordFile <STRING>

Password to unlock the private key specified using keys.keyData.privateKeyPath.

keys.passwordFile

tessera keyupdate --keys.passwordFile <FILE>

File containing the password to unlock the private key specified using keys.keyData.privateKeyPath.

version

tessera version

Prints version information and exits.