3 aescbc, ipso, secstore \- secstore commands
46 authenticates to a secure-store server
47 using a password and optionally a hardware token,
48 then saves or retrieves a file.
49 This is intended to be a credentials store (public/private keypairs,
50 passwords, and other secrets) for a factotum.
54 prompts for a password change.
58 retrieves a file to the local directory;
61 writes it to standard output instead.
66 will send to standard output
67 a list of remote files with dates, lengths and SHA1 hashes.
71 says that the password should be read from standard input
77 says that the password should be read from NVRAM
85 stores a file on the secstore.
89 removes a file from the secstore.
93 sets the dial string of the
95 server. The default is contained in the
97 environment variable. If the
104 .BR tcp!$auth!secstore .
108 access the secure-store files belonging to
113 produces more verbose output, in particular providing a few
114 bits of feedback to help the user detect mistyping.
116 For example, to add a secret to the file read by
118 at startup, open a new window, type
122 % auth/secstore -g factotum
124 % echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum
125 % auth/secstore -p factotum
127 % read -m factotum > /mnt/factotum/ctl
130 and delete the window.
131 The first line creates an ephemeral memory-resident workspace,
132 invisible to others and automatically removed when the window is deleted.
133 The next three commands fetch the persistent copy of the secrets,
135 and save the updated file back to secstore.
136 The final command loads the new secret into the running factotum.
140 command packages this sequence into a convenient script to simplify editing of
142 stored on a secure store.
149 on them. When the editor exits,
151 prompts the user to confirm copying modifed or newly created files back to
157 grabs all the user's files from
168 flush current keys from factotum and load
169 the new ones from the file.
177 will just perform only the requested operations, i.e.,
178 edit, flush, and/or load.
186 as the editor insted of
190 option provides a similar service for files encrypted by
195 option, the full rooted pathname of the
197 must be specified and all
199 must be encrypted with the same key.
202 newly created files are ignored.
209 using AES (Rijndael) in cipher block chaining (CBC) mode.
218 reads from file descriptor 3.
222 .B /sys/src/cmd/auth/secstore
227 Secstore sets error status on failure but will not print an error
228 message when reading NVRAM or dialing the secstore server fails
233 There is deliberately no backup of files on the secstore, so
235 (or a disk crash) is irrevocable. You are advised to store
236 important secrets in a second location.
240 secrets will appear as plain text in the editor window,
241 so use the command in private.