WebSVN – planix.SVN – Blame – /os/trunk/sys/man/1/secstore

Rev	Author	Line No.	Line
2	-	1	`.TH SECSTORE 1`
		2	`.SH NAME`
		3	`aescbc, ipso, secstore \- secstore commands`
		4	`.SH SYNOPSIS`
		5	`.B auth/secstore`
		6	`[`
		7	`.B -cinv`
		8	`] [`
		9	`.B -(g\|G)`
		10	`.I getfile`
		11	`] [`
		12	`.B -p`
		13	`.I putfile`
		14	`] [`
		15	`.B -r`
		16	`.I rmfile`
		17	`] [`
		18	`.B -s`
		19	`.I server`
		20	`] [`
		21	`.B -u`
		22	`.I user`
		23	`]`
		24	`.PP`
		25	`.B auth/aescbc`
		26	`-e`
		27	`[ -in ]`
		28	`.I <cleartext`
		29	`.I >ciphertext`
		30	`.br`
		31	`.B auth/aescbc`
		32	`-d`
		33	`[ -in ]`
		34	`.I <ciphertext`
		35	`.I >cleartext`
		36	`.PP`
		37	`.B ipso`
		38	`[`
		39	`.B -a -e -l -f -s`
		40	`] [`
		41	`.I file`
		42	`\&...`
		43	`]`
		44	`.SH DESCRIPTION`
		45	`.I Secstore`
		46	`authenticates to a secure-store server`
		47	`using a password and optionally a hardware token,`
		48	`then saves or retrieves a file.`
		49	`This is intended to be a credentials store (public/private keypairs,`
		50	`passwords, and other secrets) for a factotum.`
		51	`.PP`
		52	`Option`
		53	`.B -c`
		54	`prompts for a password change.`
		55	`.PP`
		56	`Option`
		57	`.B -g`
		58	`retrieves a file to the local directory;`
		59	`option`
		60	`.B -G`
		61	`writes it to standard output instead.`
		62	`Specifying`
		63	`.I getfile`
		64	`of`
		65	`.L \&.`
		66	`will send to standard output`
		67	`a list of remote files with dates, lengths and SHA1 hashes.`
		68	`.PP`
		69	`Option`
		70	`.B -i`
		71	`says that the password should be read from standard input`
		72	`instead of from`
		73	`.BR /dev/cons .`
		74	`.PP`
		75	`Option`
		76	`.B -n`
		77	`says that the password should be read from NVRAM`
		78	`(see`
		79	`.IR authsrv (2))`
		80	`instead of from`
		81	`.BR /dev/cons .`
		82	`.PP`
		83	`Option`
		84	`.B -p`
		85	`stores a file on the secstore.`
		86	`.PP`
		87	`Option`
		88	`.B -r`
		89	`removes a file from the secstore.`
		90	`.PP`
		91	`The server is`
		92	`.BR tcp!$auth!secstore ,`
		93	`or the server specified by option`
		94	`.BR -s .`
		95	`.PP`
		96	`Option`
		97	`.B -u`
		98	`accesses the secure-store files belonging to`
		99	`.IR user .`
		100	`.PP`
		101	`Option`
		102	`.B -v`
		103	`produces more verbose output, in particular providing a few`
		104	`bits of feedback to help the user detect mistyping.`
		105	`.PP`
		106	`For example, to add a secret to the file read by`
		107	`.IR factotum (4)`
		108	`at startup, open a new window, type`
		109	`.LP`
		110	`.EX`
		111	`% ramfs -p; cd /tmp`
		112	`% auth/secstore -g factotum`
		113	`secstore password:`
		114	`% echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum`
		115	`% auth/secstore -p factotum`
		116	`secstore password:`
		117	`% read -m factotum > /mnt/factotum/ctl`
		118	`.EE`
		119	`.LP`
		120	`and delete the window.`
		121	`The first line creates an ephemeral memory-resident workspace,`
		122	`invisible to others and automatically removed when the window is deleted.`
		123	`The next three commands fetch the persistent copy of the secrets,`
		124	`append a new secret,`
		125	`and save the updated file back to secstore.`
		126	`The final command loads the new secret into the running factotum.`
		127	`.PP`
		128	`The`
		129	`.I ipso`
		130	`command packages this sequence into a convenient script to simplify editing of`
		131	`.I files`
		132	`stored on a secure store.`
		133	`It copies the named`
		134	`.I files`
		135	`into a local`
		136	`.IR ramfs (4)`
		137	`and invokes`
		138	`.IR acme (1)`
		139	`on them. When the editor exits,`
		140	`.I ipso`
		141	`prompts the user to confirm copying modifed or newly created files back to`
		142	`.I secstore.`
		143	`If no`
		144	`.I file`
		145	`is mentioned,`
		146	`.I ipso`
		147	`grabs all the user's files from`
		148	`.I secstore`
		149	`for editing.`
		150	`.PP`
		151	`By default,`
		152	`.I ipso`
		153	`will edit the`
		154	`.I secstore`
		155	`files and, if`
		156	`one of them is named`
		157	`.BR factotum ,`
		158	`flush current keys from factotum and load`
		159	`the new ones from the file.`
		160	`If the`
		161	`.BR -e ,`
		162	`.BR -f ,`
		163	`or`
		164	`.BR -l`
		165	`options are given,`
		166	`.I ipso`
		167	`will just perform only the requested operations, i.e.,`
		168	`edit, flush, and/or load.`
		169	`.PP`
		170	`The`
		171	`.B -s`
		172	`option of`
		173	`.I ipso`
		174	`invokes`
		175	`.IR sam (1)`
		176	`as the editor insted of`
		177	`.BR acme ;`
		178	`the`
		179	`.B -a`
		180	`option provides a similar service for files encrypted by`
		181	`.I aescbc`
		182	`.RI ( q.v. ).`
		183	`With the`
		184	`.B -a`
		185	`option, the full rooted pathname of the`
		186	`.I file`
		187	`must be specified and all`
		188	`.I files`
		189	`must be encrypted with the same key.`
		190	`Also with`
		191	`.BR -a ,`
		192	`newly created files are ignored.`
		193	`.PP`
		194	`.I Aescbc`
		195	`encrypts (under`
		196	`.LR -e )`
		197	`and decrypts (under`
		198	`.LR -d )`
		199	`using AES (Rijndael) in cipher block chaining (CBC) mode.`
		200	`Options`
		201	`.L i`
		202	`and`
		203	`.L n`
		204	`are as per`
		205	`.IR secstore ,`
		206	`except that`
		207	`.L i`
		208	`reads from file descriptor 3.`
		209	`.SH SOURCE`
		210	`.B /rc/bin/ipso`
		211	`.br`
		212	`.B /sys/src/cmd/auth/secstore`
		213	`.SH SEE ALSO`
		214	`.IR factotum (4),`
		215	`.IR secstore (8)`
		216	`.SH BUGS`
		217	`There is deliberately no backup of files on the secstore, so`
		218	`.B -r`
		219	`(or a disk crash) is irrevocable. You are advised to store`
		220	`important secrets in a second location.`
		221	`.PP`
		222	`When using`
		223	`.IR ipso ,`
		224	`secrets will appear as plain text in the editor window,`
		225	`so use the command in private.`

Subversion Repositories planix.SVN

(root)/os/trunk/sys/man/1/secstore – Rev 2