Using aescbc to store factotum keys
D1361177773
Amycroftiv
#secstore(1) is traditionally used to store private keys for
#factotum(4). When an auth server is not used, such as on a
#stand-alone terminal, a different solution must be found.
#
#GETTING THE KEYS
#
#The easiest way to get the right options for the keys is to let
#factotum do it for you. Authenticate to the services you want the
#keys to be saved for and read factotum's control file.
#
#! % cat /mnt/factotum/ctl
#! key proto=p9sk1 dom=outside.plan9.bell-labs.com user=rsc !password?
#! % 
#
#SAVING THE KEYS
#
#First, your secrets file must be initialised.
#
#! % echo test | auth/aescbc -e > $home/lib/fact.keys
#! % aescbc key:
#
#Change the permissions on the file so that only you can read it.
#
#! % chmod 600 $home/lib/fact.keys
#
#Add the keys to the secrets file.
#
#! % ipso -a $home/lib/fact.keys
#! 
#!   Warning: The editor will display the secret contents of
#!   your aescbc files in the clear.
#! 
#! aescbc password:
#! aescbc key:
#
#Replace 'test' with the keys, replacing each instance '!password?'
#to '!password=secret' where 'secret' is the password for the key.
#
#POPULATING FACTOTUM AT STARTUP
#
#Instead of manually running the command to populate factotum, you
#can have it done in your profile
#
#! # Add some keys to factotum
#! if(test -f $home/lib/fact.keys)
#!      auth/aescbc -d < $home/lib/fact.keys | read -m > /mnt/factotum/ctl
#
#USING AESCBC AND SECSTORE TOGETHER
#
#One may make use of a secstore server even if one prefers not to
#store keys in unencrypted form by combining the use of aescbc to
#encrypt with secstore to retrieve. Here is a script which replaces
#ipso(1) and stores data only in encrypted form. By default it uses a
#file named 'p' for storage. -e file edits file, -p file puts file in
#encrypted form on secstore, and -g retrieves an encrypted file,
#decrypts, and adds it to factotum. -s server specifies a secstore
#server. It uses ed for its editor, you may change this to another
#editor if preferred.
#
#! #!/bin/rc
#! # ipso replacement with encryption of what is stored
#! 
#! rfork e
#! while(~ $1 -*){
#! 	switch($1){
#! 	case -e
#! 		mode=edit
#! 		shift
#! 	case -g
#! 		mode=get
#! 		shift
#! 	case -p
#! 		mode=put
#! 		shift
#! 	case -s
#! 		server=$2
#! 		shift
#! 		shift
#! 	case *
#! 		echo 'usage [-s server] [-egp] [file]'
#! 		exit usage
#! 	}
#! }
#! targ=$1
#! if(~ $targ '')
#! 	targ=p
#! if(~ $server '')
#! 	server=$auth
#! 
#! fn getf{
#! 	{
#! 		echo rawon
#! 		echo -n $name password: >/dev/cons
#! 		read > f
#! 		echo > /dev/cons
#! 	}</dev/cons > /dev/consctl
#! }
#! 
#! fn gettarg{
#! 	auth/secstore -i -g $targ -s $server <f
#! 	auth/aescbc -d -i <$targ >q <[3] f
#! }
#! 
#! fn puttarg{
#! 	auth/aescbc -e -i <q >$targ <[3] f
#! 	auth/secstore -i -p $targ -s $server <f
#! }
#! 
#! fn delete{
#! 	cat /lib/namespace >f
#! 	cat /lib/namespace >$targ
#! 	cat /lib/namespace >q
#! 	rm f $targ q
#! 	cd /
#! }
#! 
#! if(~ $mode put){
#! 	if(! test -e $targ){
#! 		echo $targ does not exist
#! 		exit no.target
#! 	}
#! 	rfork ensf
#! 	if(! test -d /tmp/nada)
#! 		mkdir /tmp/nada
#! 	ramfs -p -m /tmp/nada
#! 	cp $targ /tmp/nada/q
#! 	cd /tmp/nada
#! 	
#! 	getf
#! 	puttarg
#! 	delete
#! 
#! 	unmount /tmp/nada
#! 	echo dont forget to remove $targ
#! 	exit ''
#! }
#! 
#! if(~ $mode edit){
#! 	rfork ensf
#! 	ramfs -p
#! 	cd /tmp
#! 
#! 	getf
#! 	gettarg
#! 	ed q
#! 	puttarg
#! 	delete
#! 
#! 	unmount /tmp
#! 	exit ''
#! }
#! 
#! if(~ $mode get){	
#! 	rfork ensf
#! 	if(! test -d /tmp/nada)
#! 		mkdir /tmp/nada
#! 	ramfs -p -m /tmp/nada
#! 	cd /tmp/nada
#! 
#! 	getf
#! 	gettarg
#! 	read -m q > /mnt/factotum/ctl
#! 	delete
#! 
#! 	unmount /tmp/nada
#! 	exit ''
#! }
#