Using aescbc to store factotum keys
-as of Mon Feb 18 03:56:13 EST 2013-
GETTING THE KEYS
The easiest way to get the right options for the keys is to let factotum do it for you. Authenticate to the services you want the keys to be saved for and read factotum's control file.
% cat /mnt/factotum/ctl key proto=p9sk1 dom=outside.plan9.bell-labs.com user=rsc !password? %
SAVING THE KEYS
First, your secrets file must be initialised.
% echo test | auth/aescbc -e > $home/lib/fact.keys % aescbc key:
Change the permissions on the file so that only you can read it.
% chmod 600 $home/lib/fact.keys
Add the keys to the secrets file.
% ipso -a $home/lib/fact.keys Warning: The editor will display the secret contents of your aescbc files in the clear. aescbc password: aescbc key:
Replace 'test' with the keys, replacing each instance '!password?' to '!password=secret' where 'secret' is the password for the key.
POPULATING FACTOTUM AT STARTUP
Instead of manually running the command to populate factotum, you can have it done in your profile
# Add some keys to factotum if(test -f $home/lib/fact.keys) auth/aescbc -d < $home/lib/fact.keys | read -m > /mnt/factotum/ctl
USING AESCBC AND SECSTORE TOGETHER
One may make use of a secstore server even if one prefers not to store keys in unencrypted form by combining the use of aescbc to encrypt with secstore to retrieve. Here is a script which replaces ipso(1) and stores data only in encrypted form. By default it uses a file named 'p' for storage. -e file edits file, -p file puts file in encrypted form on secstore, and -g retrieves an encrypted file, decrypts, and adds it to factotum. -s server specifies a secstore server. It uses ed for its editor, you may change this to another editor if preferred.
#!/bin/rc # ipso replacement with encryption of what is stored rfork e while(~ $1 -*){ switch($1){ case -e mode=edit shift case -g mode=get shift case -p mode=put shift case -s server=$2 shift shift case * echo 'usage [-s server] [-egp] [file]' exit usage } } targ=$1 if(~ $targ '') targ=p if(~ $server '') server=$auth fn getf{ { echo rawon echo -n $name password: >/dev/cons read > f echo > /dev/cons }</dev/cons > /dev/consctl } fn gettarg{ auth/secstore -i -g $targ -s $server <f auth/aescbc -d -i <$targ >q <[3] f } fn puttarg{ auth/aescbc -e -i <q >$targ <[3] f auth/secstore -i -p $targ -s $server <f } fn delete{ cat /lib/namespace >f cat /lib/namespace >$targ cat /lib/namespace >q rm f $targ q cd / } if(~ $mode put){ if(! test -e $targ){ echo $targ does not exist exit no.target } rfork ensf if(! test -d /tmp/nada) mkdir /tmp/nada ramfs -p -m /tmp/nada cp $targ /tmp/nada/q cd /tmp/nada getf puttarg delete unmount /tmp/nada echo dont forget to remove $targ exit '' } if(~ $mode edit){ rfork ensf ramfs -p cd /tmp getf gettarg ed q puttarg delete unmount /tmp exit '' } if(~ $mode get){ rfork ensf if(! test -d /tmp/nada) mkdir /tmp/nada ramfs -p -m /tmp/nada cd /tmp/nada getf gettarg read -m q > /mnt/factotum/ctl delete unmount /tmp/nada exit '' }