Create a Volt
A tdx Volt can be created using either the command-line interface (CLI) or the fusebox.
cli
Use the create cli command:
./volt create --helpThe most simple way to create a tdx Volt from the command line is shown below.
In this example, the tdx Volt will be created in the default Battery, with no password protection or encryption on either the Battery storage or the tdx Volt itself.
./volt create "Alice's laptop"Using a YubiKey Hardware Security Module (HSM)
Use the hardware key strategy to create a tdx Volt that uses a YubiKey HSM to store the root key.
The -k switch specifies the PKCS#11 engine type, module path and slot number that identifies the YubiKey HSM.
The -k switch takes the form of a semicolon-separated string with the following format:
<engine id>;<module path>;<slot number>For example:
pkcs11;/opt/homebrew/Cellar/opensc/0.24.0/lib/opensc-pkcs11.so;01You will need to adjust the path to the opensc-pkcs11.so library to match your installation.
An example command line to create a tdx Volt using a YubiKey HSM on macOS that has installed the OpenSC software using Homebrew is shown below. Here we are using the default PIN for the YubiKey HSM, you should change this to your own PIN using the -p switch.
./volt create "Alice" -s hardware -k "pkcs11;/opt/homebrew/Cellar/opensc/0.24.0/lib/opensc-pkcs11.so;01" -p 123456See the PKCS#11 reference for more information about configuring the tdx Volt to use a PKCS#11 HSM.
Using an encrypted root key
Use the p switch to specify a password that will be used to encrypt the tdx Volt storage.
By default, the tdx Volt will auto-generate a new key at creation and encrypt it with the given password. The tdx Volt will not store the password so you must remember it.
./volt create "Alice's laptop" -p secretUse a period . to force the CLI to prompt for the password rather than include it explicitly in the command line.
./volt create "Alice's laptop" -p .> enter Volt passphrase: _There is currently no way to recover or reset the **tdx Volt** password so if you lose it you will not be able to access the Volt.
Using a file-based key
By default the tdx Volt key is stored with the tdx Volt configuration. If the Battery and tdx Volt itself are encrypted this is a fairly safe option.
Alternatively you can create a tdx Volt using a key stored on the local file system.
./volt create "Alice's laptop" -k /path/to/key/fileIf /path/to/key/file does not exist it will be created.
If the key is encrypted (recommended) you can specify or prompt for the password using the p switch as described
above.
./volt create "Alice's laptop" -k /path/to/key/file -p .It's possible to use this option to create a **tdx Volt** using a key stored on an encrypted USB stick for example. Of course the key file must be available to the **tdx Volt** when it is started.
Create a tdx Volt using a fixed host
By default when a tdx Volt is created its certificate is bound to the current (or first) ipv4 network interface
address. If you would like to bind a tdx Volt to a specific IP address or domain name use the host and port
command line switches.
./volt create "Alice's server" --host aliceserver.com --port 40725Create a tdx Volt with a Relay
Use the relay-address and relay-challenge switches to create a tdx Volt with a pre-configured relay. This is
useful in scenarios where the tdx Volt is created on remote devices, as it enables the configuration of a remote
connection to the tdx Volt via the fusebox to complete the commissioning.
Note that you almost certainly want to use the -k switch to specify the file in which the tdx Volt key will be
written. This is because you will need the key to be able to configure the remote fusebox connection.
./volt create --name "Alice's NAS" -k ./alice.key --relay-address https://tdxvolt.com --relay-challenge letmeinWhen the tdx Volt is first run it will create and configure the Relay connection and issue a bind request to the Relay Volt. The Relay Volt owner/administrator may need to approve the bind request before the binding is complete.
fusebox
Creating a tdx Volt using the fusebox is straightfoward. Use the โnew Voltโ button on the slide-out menu panel:
Then fill out the form:
