DSKE CLI Reference
All DSKE commands are subcommands of qufabric dske. Run qufabric dske --help for full
usage information.
Commands
qufabric dske status
qufabric dske statusShow DSKE status including registered security hubs and PSRD levels.
qufabric dske status
Output:
DSKE Status: Enabled
Local Peer UUID: 625e104c8321934fd6533994f8967b7c
Registered Security Hubs:
Hub ID Client ID Generate Recover Status
0a1b2c3d4e5f67890a1b2c3d4e5f6789 fedcba9876543210fedcba9876543210 524288 524288 Enabled
1234567890abcdef1234567890abcdef abcdef1234567890abcdef1234567890 1048576 1048576 Enabled
qufabric dske ingest-psrd <file>
qufabric dske ingest-psrd <file>Ingest a wrapped PSRD file to register with a security hub.
qufabric dske ingest-psrd /path/to/psrd-wrapped.json
Arguments:
| Argument | Description |
|---|---|
file | Path to the wrapped PSRD JSON file |
Notes:
- Each file is single-use — it cannot be re-ingested
- Each client must receive a unique PSRD file
- This command registers the client with the hub and stores credentials locally
qufabric dske list-hubs
qufabric dske list-hubsList all registered security hubs with their PSRD levels.
qufabric dske list-hubs
qufabric dske disable-hub <hub-id>
qufabric dske disable-hub <hub-id>Temporarily disable a security hub. The hub is not notified — this only affects local behavior. DSKE will not use this hub for key generation or recovery until re-enabled.
qufabric dske disable-hub 0a1b2c3d4e5f67890a1b2c3d4e5f6789
Arguments:
| Argument | Description |
|---|---|
hub-id | Security hub ID (32 hex characters) |
qufabric dske enable-hub <hub-id>
qufabric dske enable-hub <hub-id>Re-enable a previously disabled security hub.
qufabric dske enable-hub 0a1b2c3d4e5f67890a1b2c3d4e5f6789
qufabric dske remove-hub <hub-id>
qufabric dske remove-hub <hub-id>Permanently remove a security hub registration. To re-register, you must ingest a new PSRD file for this hub.
qufabric dske remove-hub 0a1b2c3d4e5f67890a1b2c3d4e5f6789
Warning: This is destructive. The client's credentials for this hub are deleted. You will need a new PSRD file from the hub administrator to re-register.
qufabric dske refill-psrd <hub-id>
qufabric dske refill-psrd <hub-id>Request an online PSRD refill from a specific security hub.
qufabric dske refill-psrd 0a1b2c3d4e5f67890a1b2c3d4e5f6789
Notes:
- Requires the hub to support online refill
- Automatic refill is triggered when PSRD levels drop below the warning threshold
- Use this for manual top-up when needed
Quick Reference
| Command | Purpose |
|---|---|
qufabric dske status | Show DSKE status and PSRD levels |
qufabric dske ingest-psrd <file> | Register with a security hub using a PSRD file |
qufabric dske list-hubs | List registered security hubs |
qufabric dske disable-hub <id> | Temporarily disable a hub |
qufabric dske enable-hub <id> | Re-enable a disabled hub |
qufabric dske remove-hub <id> | Permanently remove a hub (requires re-ingest) |
qufabric dske refill-psrd <id> | Request online PSRD refill from a hub |
Security Hub Commands
These commands run on the security hub peer using the local distributor tool:
qbt-local-distributor dske-client add <name>
qbt-local-distributor dske-client add <name>Add a new DSKE client to the security hub.
sudo -u qbtld qbt-local-distributor dske-client add my-client-name --json
qbt-local-distributor dske-client list
qbt-local-distributor dske-client listList all registered DSKE clients.
sudo -u qbtld qbt-local-distributor dske-client list --json
qbt-local-distributor dske-client assign-psrd
qbt-local-distributor dske-client assign-psrdGenerate and assign PSRD to a client.
sudo -u qbtld qbt-local-distributor dske-client assign-psrd \
--first \
--user-bytes 524288 \
--server-bytes 524288 \
--user-id <dske-client-id> \
-o /tmp/psrd-output
Flags:
| Flag | Description |
|---|---|
--first | Use for initial PSRD assignment |
--user-bytes | PSRD bytes for user-initiated operations |
--server-bytes | PSRD bytes for server-initiated operations |
--user-id | The DSKE client ID from the add command |
-o | Output directory for the wrapped PSRD file |