Storing secrets (or facts)
Secstore allows storage of secrets for authenticated parties. It is the storage counterpart of factotum which handle transactions. The most straightforward way to send secrets to factotum is to just cat a file to it but if the file is not encrypted with ascbc, we are in a unsafe situation, and encrypting files with aescbc prompt for a password for each files. With secstore, you can ask for any number of files with one password prompt.
Storing your secstore key with wrkey is a nice solution for a CPU setup, allowing you to have unattended reboots. But wrkey will store that key in clear in the nvram partition. You may want to avoid using wrkey depending of your situation.
If you want to set up a CPU server, following my CPU guide already covers this step. Now, if you are using a standalone terminal like a laptop, a common solution is to set it like a CPU server and enable additional devices to have access to rio. Diffing /bin/cpurc and /bin/termrc will help you getting this up.
Secstored basically serves requests from secstore. You need to enable this service so secstore knows where to get asked secrets.
On a Terminal
We need a way to listen to localhost. kvik sent me this nice command. I put it in
/cfg/$sysname/termrc is a script called by
/bin/termrc when you boot as a terminal. Notice that you can have a directory per
$sysname, you can manage all your machines in a git repository if you want to.
On a CPU
On a CPU, we shouldn’t have much to configure. Just like termrc, I have a cpustart in
/cfg/$sysname with the following lines:
As the hostowner, create the
/adm/secstore directory and
chmod it for 770. Then, you have to add your user to secstore:
Getting secrets in secstore is easy. Get in a safe directory, place you secrets in a file and ask secstore to store them for you.
To get your secrets back, you just have to use
auth/secstore -g fakts or any other file you stored. Adding or removing a secret to a stored file is just a matter of
auth/secstore -g, editing the file and storing it back with
If you want to get your secrets to standard input to send them to factotum, you have to use the -G option.
ipso is a script to easily manage secrets held by secstore, and conveniently do so from ramfs. You can modify all of your secrets at once from
If you stored the secstore password to nvram with
auth/wrkey, you can skip the password prompt with the -n option. Combined with termrc/cpustart/profile instruction, you could get password loaded without babysitting your system. If secstore have hard times to find your nvram partition, you can set it in plan9.ini.
Finally, to load secrets at boot, I have two configurations.
- The first case is for my laptop, XOK9: I don’t have the secstore key stored with wrkey, so I get one password prompt.
- The second case is for my server, Chitatap: I wrote the secstore key in nvram with wrkey, I get unattended reboots.
auth/aescbc is a much simpler tool. It encrypts (-e) or decrypts (-d) files. If you ever need to back up your secrets from secstore, you better use aescbc to protect them. It’s also a simpler solution if you dont want to set up secstore.
ipso -a can decrypt multiple files encrypted by aescbc at once if they share the same password.