3 aescbc, secstore, ipso \- secstore commands
57 authenticates to the server
58 using a password and optionally a hardware token,
59 then saves or retrieves a file.
60 This is intended to be a credentials store (public/private keypairs,
61 passwords, and other secrets) for a factotum.
65 stores a file on the secstore.
69 retrieves a file to the local directory;
72 writes it to standard output instead.
75 of . will send to standard output
76 a list of remote files with dates, lengths and SHA1 hashes.
80 removes a file from the secstore.
84 prompts for a password change.
88 produces more verbose output, in particular providing a few
89 bits of feedback to help the user detect mistyping.
93 says that the password should be read from standard input
99 says that the password should be read from NVRAM
102 This option is unsupported.
106 or the server specified by option
109 For example, to add a secret to the file read by
111 at startup, open a new window, type
115 % auth/secstore -g factotum
117 % echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum
118 % auth/secstore -p factotum
120 % read -m factotum > /mnt/factotum/ctl
123 and delete the window.
124 The first line creates an ephemeral memory-resident workspace,
125 invisible to others and automatically removed when the window is deleted.
126 The next three commands fetch the persistent copy of the secrets,
128 and save the updated file back to secstore.
129 The final command loads the new secret into the running factotum.
133 command packages this sequence into a convenient script to simplify editing of
135 stored on a secure store.
142 on them. When the editor exits,
144 prompts the user to confirm copying modifed or newly created files back to
150 grabs all the user's files from
154 By default, ipso will edit the
159 flush your current keys from factotum and load
160 the new ones from the file.
161 If you supply any of the
168 will just perform the operations you requested, i.e.,
169 edit, flush, and/or load.
177 as the editor insted of
181 option provides a similar service for files encrypted by
186 option, the full rooted pathname of the
188 must be specified and all
190 must be encrypted with the same key.
193 newly created files are ignored.
196 encrypts and decrypts using AES (Rijndael) in cipher
197 block chaining (CBC) mode.
199 .B \*9/src/cmd/secstore
202 Plan 9's \fIsecstore\fR(8)
204 There is deliberately no backup of files on the secstore, so
206 (or a disk crash) is irrevocable. You are advised to store
207 important secrets in a second location.
211 secrets will appear as plain text in the editor window,
212 so use the command in private.