Blob

Date:
Message:
update
Actions:
History | Blame | Raw File
1 .TH SECSTORE 1

2 .SH NAME

3 aescbc, secstore \- secstore commands

4 .SH SYNOPSIS

5 .B secstore

6 [

7 .B -s

8 .I server

9 ]

10 [

11 .B -(g|G)

12 .I getfile

13 ]

14 [

15 .B -p

16 .I putfile

17 ]

18 [

19 .B -r

20 .I rmfile

21 ]

22 [

23 .B -c

24 ]

25 [

26 .B -u

27 .I user

28 ]

29 [

30 .B -v

31 ]

32 [

33 .B -i

34 ]

35 .PP

36 .B aescbc

37 -e

38 .I <cleartext

39 .I >ciphertext

40 .br

41 .B aescbc

42 -d

43 .I <ciphertext

44 .I >cleartext

45 .\" .PP

46 .\" .B ipso

47 .\" [

48 .\" .B -a -e -l -f -s

49 .\" ] [

50 .\" .I file

51 .\" \&...

52 .\" ]

53 .SH DESCRIPTION

54 .PP

55 .I Secstore

56 authenticates to the server

57 using a password and optionally a hardware token,

58 then saves or retrieves a file.

59 This is intended to be a credentials store (public/private keypairs,

60 passwords, and other secrets) for a factotum.

61 .PP

62 Option

63 .B -p

64 stores a file on the secstore.

65 .PP

66 Option

67 .B -g

68 retrieves a file to the local directory;

69 option

70 .B -G

71 writes it to standard output instead.

72 Specifying

73 .I getfile

74 of . will send to standard output

75 a list of remote files with dates, lengths and SHA1 hashes.

76 .PP

77 Option

78 .B -r

79 removes a file from the secstore.

80 .PP

81 Option

82 .B -c

83 prompts for a password change.

84 .PP

85 Option

86 .B -v

87 produces more verbose output, in particular providing a few

88 bits of feedback to help the user detect mistyping.

89 .PP

90 Option

91 .B -i

92 says that the password should be read from standard input

93 instead of from 

94 .BR /dev/tty .

95 .PP

96 Option

97 .B -n

98 says that the password should be read from NVRAM

99 (see

100 .IR authsrv (3))

101 instead of from

102 .BR /dev/tty .

103 .PP

104 The server is

105 .BR tcp!$auth!secstore ,

106 or the server specified by option

107 .BR -s .

108 .PP

109 For example, to add a secret to the file read by

110 .IR factotum (4),

111 run

112 .sp

113 .EX

114   % cd somewhere-private

115   % auth/secstore -g factotum

116   secstore password:

117   % echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum

118   % auth/secstore -p factotum

119   secstore password:

120   % cat factotum | 9p write -l factotum/ctl

121 .EE

122 .PP

123 and delete the window.

124 The middle commands fetch the persistent copy of the secrets,

125 append a new secret,

126 and save the updated file back to secstore.

127 The final command loads the new secret into the running factotum.

128 .\" .PP

129 .\" The

130 .\" .I ipso

131 .\" command packages this sequence into a convenient script to simplify editing of

132 .\" .I files

133 .\" stored on a secure store.

134 .\" It copies the named

135 .\" .I files

136 .\" into a local

137 .\" .IR ramfs (4)

138 .\" and invokes

139 .\" .IR acme (1)

140 .\" on them.  When the editor exits,

141 .\" .I ipso

142 .\" prompts the user to confirm copying modifed or newly created files back to

143 .\" .I secstore.

144 .\" If no

145 .\" .I file

146 .\" is mentioned,

147 .\" .I ipso

148 .\" grabs all the user's files from

149 .\" .I secstore

150 .\" for editing.

151 .\" .PP

152 .\" By default, ipso will edit the

153 .\" .I secstore

154 .\" files and, if

155 .\" one of them is named

156 .\" .BR factotum ,

157 .\" flush your current keys from factotum and load

158 .\" the new ones from the file.

159 .\" If you supply any of the

160 .\" .BR -e ,

161 .\" .BR -f ,

162 .\" or

163 .\" .BR -l

164 .\" options,

165 .\" .I ipso

166 .\" will just perform the operations you requested, i.e.,

167 .\" edit, flush, and/or load.

168 .\" .PP

169 .\" The

170 .\" .B -s

171 .\" option of

172 .\" .I ipso

173 .\" invokes

174 .\" .IR sam (1)

175 .\" as the editor insted of

176 .\" .BR acme ;

177 .\" the

178 .\" .B -a

179 .\" option provides a similar service for files encrypted by

180 .\" .I aescbc

181 .\" .RI ( q.v. ).

182 .\" With the

183 .\" .B -a

184 .\" option, the full rooted pathname of the

185 .\" .I file

186 .\" must be specified and all

187 .\" .I files

188 .\" must be encrypted with the same key.

189 .\" Also with

190 .\" .BR -a ,

191 .\" newly created files are ignored.

192 .PP

193 .I Aescbc

194 encrypts and decrypts using AES (Rijndael) in cipher

195 block chaining (CBC) mode.

196 .SH SOURCE

197 .B \*9/src/cmd/secstore

198 .SH SEE ALSO

199 .IR factotum (4),

200 .IR secstored (1)

201 .SH BUGS

202 There is deliberately no backup of files on the secstore, so

203 .B -r

204 (or a disk crash) is irrevocable.  You are advised to store

205 important secrets in a second location.

206 .\" .PP

207 .\" When using

208 .\" .IR ipso ,

209 .\" secrets will appear as plain text in the editor window,

210 .\" so use the command in private.