git » kxd » next » tree

[next] / doc / man / kxd.1

.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "kxd 1"
.TH kxd 1 "2019-08-10" "" ""
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
kxd \- Key exchange daemon
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBkxd\fR [\fIoptions\fR...]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
kxd is a key exchange daemon, which serves blobs of data (keys) over https.
.PP
It can be used to get keys remotely instead of using local storage.
The main use case is to get keys to open dm-crypt devices automatically,
without having to store them on the local machine.
.SH "SETUP"
.IX Header "SETUP"
The server configuration is stored in a root directory (\fI/etc/kxd/data/\fR by
default), and within there, with per-key directories (e.g.
\&\fI/etc/kxd/data/host1/key1/\fR), each containing the following files:
.IP "\fIkey\fR" 8
.IX Item "key"
Contains the key to give to the client.
.IP "\fIallowed_clients\fR" 8
.IX Item "allowed_clients"
Contains one or more PEM-encoded client certificates that will be allowed to
request the key. If not present, then no clients will be allowed to access
this key.
.IP "\fIallowed_hosts\fR" 8
.IX Item "allowed_hosts"
Contains one or more host names (one per line). If not present, then all hosts
will be allowed to access that key (as long as they are authorized with a
valid client certificate).
.IP "\fIemail_to\fR" 8
.IX Item "email_to"
Contains one or more email destinations to notify (one per line).  If not
present, then no notifications will be sent upon key accesses.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-\-key\fR=\fIfile\fR" 8
.IX Item "--key=file"
Private key to use (in \s-1PAM\s0 format). Defaults to \fI/etc/kxd/key.pem\fR.
.IP "\fB\-\-cert\fR=\fIfile\fR" 8
.IX Item "--cert=file"
Certificate to use (in \s-1PAM\s0 format); must match the given key. Defaults to
\&\fI/etc/kxd/cert.pem\fR.
.IP "\fB\-\-data_dir\fR=\fIdirectory\fR" 8
.IX Item "--data_dir=directory"
Data directory, where the key and configuration live (see the \s-1SETUP\s0 section
above). Defaults to \fI/etc/kxd/data\fR.
.IP "\fB\-\-ip_addr\fR=\fIip-address\fR" 8
.IX Item "--ip_addr=ip-address"
\&\s-1IP\s0 address to listen on. Defaults to all.
.IP "\fB\-\-logfile\fR=\fIfile\fR" 8
.IX Item "--logfile=file"
File to write logs to, use \*(L"\-\*(R" for stdout. By default, the daemon will log to
syslog.
.IP "\fB\-\-port\fR=\fIport\fR" 8
.IX Item "--port=port"
Port to listen on. The default port is 19840.
.IP "\fB\-\-email_from\fR=\fIemail-address\fR" 8
.IX Item "--email_from=email-address"
Email address to send email from.
.IP "\fB\-\-smtp_addr\fR=\fIhost:port\fR" 8
.IX Item "--smtp_addr=host:port"
Address of the \s-1SMTP\s0 server to use to send emails. If none is given, then
emails will not be sent.
.IP "\fB\-\-hook\fR=\fIfile\fR" 8
.IX Item "--hook=file"
Script to run before authorizing keys. Skipped if it doesn't exist. Defaults
to \fI/etc/kxd/hook\fR.
.SH "FILES"
.IX Header "FILES"
.IP "\fI/etc/kxd/key.pem\fR" 8
.IX Item "/etc/kxd/key.pem"
Private key to use (in \s-1PAM\s0 format).
.IP "\fI/etc/kxd/cert.pem\fR" 8
.IX Item "/etc/kxd/cert.pem"
Certificate to use (in \s-1PAM\s0 format); must match the given key.
.IP "\fI/etc/kxd/hook\fR" 8
.IX Item "/etc/kxd/hook"
Script to run before authorizing keys. Skipped if it doesn't exist.
.IP "\fI/etc/kxd/data/\fR" 8
.IX Item "/etc/kxd/data/"
Data directory, where the keys and their configuration live.
.SH "CONTACT"
.IX Header "CONTACT"
Main website <https://blitiri.com.ar/p/kxd>.
.PP
If you have any questions, comments or patches please send them to
\&\f(CW\*(C`albertito@blitiri.com.ar\*(C'\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBkxc\fR\|(1), \fBkxc\-cryptsetup\fR\|(1).