3 aescbc, ipso, secstore \- secstore commands
56 authenticates to the server
57 using a password and optionally a hardware token,
58 then saves or retrieves a file.
59 This is intended to be a credentials store (public/private keypairs,
60 passwords, and other secrets) for a factotum.
64 stores a file on the secstore.
68 retrieves a file to the local directory;
71 writes it to standard output instead.
74 of . will send to standard output
75 a list of remote files with dates, lengths and SHA1 hashes.
79 removes a file from the secstore.
83 prompts for a password change.
87 produces more verbose output, in particular providing a few
88 bits of feedback to help the user detect mistyping.
92 says that the password should be read from standard input
98 says that the password should be read from NVRAM
105 .BR tcp!$auth!secstore ,
106 or the server specified by option
109 For example, to add a secret to the file read by
114 % cd somewhere-private
115 % auth/secstore -g factotum
117 % echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum
118 % auth/secstore -p factotum
120 % cat factotum | 9p write -l factotum/ctl
123 and delete the window.
124 The middle commands fetch the persistent copy of the secrets,
126 and save the updated file back to secstore.
127 The final command loads the new secret into the running factotum.
131 command packages this sequence into a convenient script to simplify editing of
133 stored on a secure store.
136 into a private directory,
137 plumbs them to the editor,
138 and waits for a line on the console
139 Once a line is typed,
140 signifying that editing is complete,
142 prompts the user to confirm copying modifed or newly created files back to
148 grabs all the user's files from
152 By default, ipso will edit the
157 flush current keys from factotum and load
158 the new ones from the file.
166 will just perform only the requested operations, i.e.,
167 edit, flush, and/or load.
173 provides a similar service for files encrypted by
178 option, the full rooted pathname of the
180 must be specified and all
182 must be encrypted with the same key.
185 newly created files are ignored.
188 encrypts and decrypts using AES (Rijndael) in cipher
189 block chaining (CBC) mode.
193 .B \*9/src/cmd/auth/secstore
198 There is deliberately no backup of files on the secstore, so
200 (or a disk crash) is irrevocable. You are advised to store
201 important secrets in a second location.
205 secrets will appear as plain text in the editor window,
206 so use the command in private.
208 Establishing a private directory in which to store the secret
209 files is difficult on Unix.
212 creates a mode 700 directory
219 file system; if it exists,
223 directory in its root
228 should zero the secret files before removing them.