3 aescbc, ipso, secstore \- secstore commands
46 authenticates to a secure-store server
47 using a password and optionally a hardware token,
48 then saves or retrieves a file.
49 This is intended to be a credentials store (public/private keypairs,
50 passwords, and other secrets) for a factotum.
54 prompts for a password change.
58 retrieves a file to the local directory;
61 writes it to standard output instead.
66 will send to standard output
67 a list of remote files with dates, lengths and SHA1 hashes.
71 says that the password should be read from standard input
77 says that the password should be read from NVRAM
85 stores a file on the secstore.
89 removes a file from the secstore.
92 .BR tcp!$auth!secstore ,
93 or the server specified by option
98 access the secure-store files belonging to
103 produces more verbose output, in particular providing a few
104 bits of feedback to help the user detect mistyping.
106 For example, to add a secret to the file read by
108 at startup, open a new window, type
112 % auth/secstore -g factotum
114 % echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum
115 % auth/secstore -p factotum
117 % read -m factotum > /mnt/factotum/ctl
120 and delete the window.
121 The first line creates an ephemeral memory-resident workspace,
122 invisible to others and automatically removed when the window is deleted.
123 The next three commands fetch the persistent copy of the secrets,
125 and save the updated file back to secstore.
126 The final command loads the new secret into the running factotum.
130 command packages this sequence into a convenient script to simplify editing of
132 stored on a secure store.
139 on them. When the editor exits,
141 prompts the user to confirm copying modifed or newly created files back to
147 grabs all the user's files from
158 flush current keys from factotum and load
159 the new ones from the file.
167 will just perform only the requested operations, i.e.,
168 edit, flush, and/or load.
176 as the editor insted of
180 option provides a similar service for files encrypted by
185 option, the full rooted pathname of the
187 must be specified and all
189 must be encrypted with the same key.
192 newly created files are ignored.
199 using AES (Rijndael) in cipher block chaining (CBC) mode.
208 reads from file descriptor 3.
212 .B /sys/src/cmd/auth/secstore
217 There is deliberately no backup of files on the secstore, so
219 (or a disk crash) is irrevocable. You are advised to store
220 important secrets in a second location.
224 secrets will appear as plain text in the editor window,
225 so use the command in private.