KEYFS(4) KEYFS(4)
NAME
keyfs - encrypted key storage
SYNOPSIS
auth/keyfs [ -D ] [ -m mountpoint ] [ -n nvram ] [ keyfile ]
DESCRIPTION
Keyfs serves a two-level name space for storing authentica-
tion data, specifically the status and secrets of each user
to whom logind(8) can issue a certificate. The data is
stored in keyfile (default: /keydb/keys), encrypted by a
master key using AES (see keyring-crypt(2)). Keyfs should be
started only on the machine acting as authentication server
(signer), before a listener is started for signer(8). Note
that signer and keyfs must share the name space. Further-
more, no other application except the console should see
that name space.
Keyfs prompts for the master key, reads and decrypts
keyfile, and serves files representing the contents at
mountpoint in the name space (default: /mnt/keys).
Each user in keyfile is represented by a directory
mountpoint/user. Each such directory has the following
files:
log A count of the number of failed authentications.
Writing bad to the file increments the count; writ-
ing good resets it to 0. When the count reaches
some implementation-defined limit, the account sta-
tus is set to disabled (see the status file below).
expire The time in seconds since the epoch when the account
will expire, or the text never if it has no expira-
tion time. The string never or a number can be
written to the file to set a new expiry time.
secret The secret (supposedly) known only to the user and
the authentication service. A secret is any
sequence of bytes between 0 and 255 bytes long; it
is initially empty. The length of the file returned
by sys-stat(2) is the length of the secret. If the
account has expired or is disabled, an attempt to
read the file will give an error.
status The current status of the user's account, either ok
or disabled. Either string can be written to the
file to change the state accordingly.
To add a new account, make a directory with that name in
mountpoint. It must not already exist. To remove an
account, remove the corresponding directory; to rename an
account, rename the directory.
Page 1 Plan 9 (printed 4/19/24)
KEYFS(4) KEYFS(4)
All changes made via file system operations in mountpoint
result in appropriate changes to keyfile.
If the -n option is given, instead of prompting for the mas-
ter key, keyfs will read it from the file nvram. Obviously
that file should be well-protected from ordinary observers.
The -D option enables tracing of the file service protocol,
for debugging.
SOURCE
/appl/cmd/auth/keyfs.b
SEE ALSO
changelogin(8), logind(8), signer(8)
Page 2 Plan 9 (printed 4/19/24)