Storing secrets (or facts)


Secstore allows storage of secrets for authenticated parties. It is the storage counterpart of factotum which handle transactions. The most straightforward way to send secrets to factotum is to just cat a file to it but if the file is not encrypted with ascbc, we are in a unsafe situation, and encrypting files with aescbc prompt for a password for each files. With secstore, you can ask for any number of files with one password prompt.

Storing your secstore key with wrkey is a nice solution for a CPU setup, allowing you to have unattended reboots. But wrkey will store that key in clear in the nvram partition. You may want to avoid using wrkey depending of your situation.

CPU/Auth configuration

If you want to set up a CPU server, following my CPU guide already covers this step. Now, if you are using a standalone terminal like a laptop, a common solution is to set it like a CPU server and enable additional devices to have access to rio. Diffing /bin/cpurc and /bin/termrc will help you getting this up.


Secstored basically serves requests from secstore. You need to enable this service so secstore knows where to get asked secrets.

On a Terminal

We need a way to listen to localhost. kvik sent me this nice command. I put it in /cfg/$sysname/termrc.

cd /net/ipifc && cd `{cat clone} && echo bind loopback > ctl && echo add > ctl

/cfg/$sysname/termrc is a script called by /bin/termrc when you boot as a terminal. Notice that you can have a directory per $sysname, you can manage all your machines in a git repository if you want to.

On a CPU

On a CPU, we shouldn’t have much to configure. Just like termrc, I have a cpustart in /cfg/$sysname with the following lines:


As the hostowner, create the /adm/secstore directory and chmod it for 770. Then, you have to add your user to secstore:

% auth/secuser $user
$user password: # Not echoed. This your secstore password.
retype password: # If you use wrkey, it’s the same one.
expires [DDMMYYYY, default = 21022022]: 21022022
Enabled or Disabled [default Enabled]: 
require STA? [default no]: 
comments [default = ]: 
change written

Getting Secrets In and Out of Secstore

Getting secrets in secstore is easy. Get in a safe directory, place you secrets in a file and ask secstore to store them for you.

% ramfs -p
% cd /tmp
% echo 'sikretz' > fakts
% auth/secstore -p fakts
secstore password: 
N.B. Thanks to ramfs, your fresh /tmp will disappear once you delete its window.

To get your secrets back, you just have to use auth/secstore -g fakts or any other file you stored. Adding or removing a secret to a stored file is just a matter of auth/secstore -g, editing the file and storing it back with auth/secstore -p. If you want to get your secrets to standard input to send them to factotum, you have to use the -G option.

% auth/secstore -G moresikretz >> /mnt/factotum/ctl
secstore password: 

ipso is a script to easily manage secrets held by secstore, and conveniently do so from ramfs. You can modify all of your secrets at once from ipso.

If you stored the secstore password to nvram with auth/wrkey, you can skip the password prompt with the -n option. Combined with termrc/cpustart/profile instruction, you could get password loaded without babysitting your system. If secstore have hard times to find your nvram partition, you can set it in plan9.ini.

fig. Line added to /n/9fat/plan9.ini

Finally, to load secrets at boot, I have two configurations.

  • The first case is for my laptop, XOK9: I don’t have the secstore key stored with wrkey, so I get one password prompt.
  • The second case is for my server, Chitatap: I wrote the secstore key in nvram with wrkey, I get unattended reboots.
fn secstore{
	auth/secstored -s $secstore
	ipso -l 
fig. Lines added to $home/lib/profile. You can replace ipso -l by auth/factotum.
auth/secstore -n -G factotum >> /mnt/factotum/ctl
fig. Line added to /cfg/$sysname/cpustart


auth/aescbc is a much simpler tool. It encrypts (-e) or decrypts (-d) files. If you ever need to back up your secrets from secstore, you better use aescbc to protect them. It’s also a simpler solution if you dont want to set up secstore.

ipso -a can decrypt multiple files encrypted by aescbc at once if they share the same password.