For information on editing, see the description of Plan 9 wiki syntax.
secstore(1) is traditionally used to store private keys for factotum(4). When an auth server is not used, such as on a stand-alone terminal, a different solution must be found. GETTING THE KEYS The easiest way to get the right options for the keys is to let factotum do it for you. Authenticate to the services you want the keys to be saved for and read factotum's control file. ! % cat /mnt/factotum/ctl ! key proto=p9sk1 dom=outside.plan9.bell-labs.com user=rsc !password? ! % SAVING THE KEYS First, your secrets file must be initialised. ! % echo test | auth/aescbc -e > $home/lib/fact.keys ! % aescbc key: Change the permissions on the file so that only you can read it. ! % chmod 600 $home/lib/fact.keys Add the keys to the secrets file. ! % ipso -a $home/lib/fact.keys ! ! Warning: The editor will display the secret contents of ! your aescbc files in the clear. ! ! aescbc password: ! aescbc key: Replace 'test' with the keys, replacing each instance '!password?' to '!password=secret' where 'secret' is the password for the key. POPULATING FACTOTUM AT STARTUP Instead of manually running the command to populate factotum, you can have it done in your profile ! # Add some keys to factotum ! if(test -f $home/lib/fact.keys) ! auth/aescbc -d < $home/lib/fact.keys | read -m > /mnt/factotum/ctl USING AESCBC AND SECSTORE TOGETHER One may make use of a secstore server even if one prefers not to store keys in unencrypted form by combining the use of aescbc to encrypt with secstore to retrieve. Here is a script which replaces ipso(1) and stores data only in encrypted form. By default it uses a file named 'p' for storage. -e file edits file, -p file puts file in encrypted form on secstore, and -g retrieves an encrypted file, decrypts, and adds it to factotum. -s server specifies a secstore server. It uses ed for its editor, you may change this to another editor if preferred. ! #!/bin/rc ! # ipso replacement with encryption of what is stored ! ! rfork e ! while(~ $1 -*){ ! switch($1){ ! case -e ! mode=edit ! shift ! case -g ! mode=get ! shift ! case -p ! mode=put ! shift ! case -s ! server=$2 ! shift ! shift ! case * ! echo 'usage [-s server] [-egp] [file]' ! exit usage ! } ! } ! targ=$1 ! if(~ $targ '') ! targ=p ! if(~ $server '') ! server=$auth ! ! fn getf{ ! { ! echo rawon ! echo -n $name password: >/dev/cons ! read > f ! echo > /dev/cons ! }</dev/cons > /dev/consctl ! } ! ! fn gettarg{ ! auth/secstore -i -g $targ -s $server <f ! auth/aescbc -d -i <$targ >q <[3] f ! } ! ! fn puttarg{ ! auth/aescbc -e -i <q >$targ <[3] f ! auth/secstore -i -p $targ -s $server <f ! } ! ! fn delete{ ! cat /lib/namespace >f ! cat /lib/namespace >$targ ! cat /lib/namespace >q ! rm f $targ q ! cd / ! } ! ! if(~ $mode put){ ! if(! test -e $targ){ ! echo $targ does not exist ! exit no.target ! } ! rfork ensf ! if(! test -d /tmp/nada) ! mkdir /tmp/nada ! ramfs -p -m /tmp/nada ! cp $targ /tmp/nada/q ! cd /tmp/nada ! ! getf ! puttarg ! delete ! ! unmount /tmp/nada ! echo dont forget to remove $targ ! exit '' ! } ! ! if(~ $mode edit){ ! rfork ensf ! ramfs -p ! cd /tmp ! ! getf ! gettarg ! ed q ! puttarg ! delete ! ! unmount /tmp ! exit '' ! } ! ! if(~ $mode get){ ! rfork ensf ! if(! test -d /tmp/nada) ! mkdir /tmp/nada ! ramfs -p -m /tmp/nada ! cd /tmp/nada ! ! getf ! gettarg ! read -m q > /mnt/factotum/ctl ! delete ! ! unmount /tmp/nada ! exit '' ! }
