aboutsummaryrefslogtreecommitdiff
path: root/share/man/keyringer.1.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/keyringer.1.mdwn')
-rw-r--r--share/man/keyringer.1.mdwn324
1 files changed, 0 insertions, 324 deletions
diff --git a/share/man/keyringer.1.mdwn b/share/man/keyringer.1.mdwn
deleted file mode 100644
index 8acd747..0000000
--- a/share/man/keyringer.1.mdwn
+++ /dev/null
@@ -1,324 +0,0 @@
-% KEYRINGER(1) Keyringer User Manual
-% Silvio Rhatto <rhatto@riseup.net>
-% Oct 25, 2013
-
-# NAME
-
-keyringer - encrypted and distributed secret sharing software
-
-# SYNOPSIS
-
-keyringer <*keyring*> <*action*> [*options*]...
-
-# DESCRIPTION
-
-Keyringer lets you manage and share secrets using GnuPG and Git in a
-distributed fashion.
-
-It has custom commands to create key-pairs and to encrypt, decrypt and
-re-encrypt secrets. It also supports encryption to multiple recipients
-and groups of recipients, to allow a workgroup to share access to a single
-repository while restricting some secrets to subsets of the group.
-
-Secrets are encrypted using OpenPGP and added to a Git tree so that they
-can be synced with remote branches later.
-
-# ACTIONS
-
-Keyringer has three types of actions:
-
-1. Repository lookup and manipulation actions, which handle repository initialization,
- content tracking and navigation.
-
-2. Secret manipulation actions, which take care of encrypting, decrypting and other
- read/write operations on secrets.
-
-3. Configuration actions, handling repository metadata.
-
-# REPOSITORY LOOKUP AND MANIPULATION ACTIONS
-
-find <*expression*>
-: Find secrets in the repository.
-
-init <*path*> [*remote*]
-: Initialize a new keyringer repository. If a *remote* URL is specified, keyringer will
- clone an existing repository.
-
- After initialization, *path* will contain a folder structure for storing secrets
- and metadata (user aka recipients, groups of recipients, etc).
-
- Also, an entry will be added to `$HOME/.keyringer/config` allowing keyringer to
- find the keyring by its alias.
-
-destroy
-: Alias for *teardown* action.
-
-git <*action*> <*options*>
-: Git wrapper that operates from the toplevel keyring repository. You can issue any
- *GIT(1)* subcommand with this action to have it applied in the keyring repository.
-
-commit [*arguments*]
-: Alias to "git commit".
-
-ls <*path*>
-: List contents from the toplevel repository *keys* folder or from relative paths
- if *path* is specified. Like the git wrapper, this is a wrapper around the *LS(1)*
- command.
-
-mkdir <*path*>
-: Create a directory inside the repository *keys* folder.
-
-rmdir <*path*>
-: Remove an empty folder inside the repository *keys* folder.
-
-tree <*path*>
-: List contents from the toplevel repository *keys* folder or from relative paths
- if *path* is specified using a tree-like format. Like the ls wrapper, this is a
- wrapper around the *TREE(1)* command.
-
-shell
-: Run keyringer on interactive mode from a built-in command-line prompt where
- all other actions can be called and are operated from the current selected
- keyring.
-
- An additional "cd" internal command is available for directory navigation.
-
- All <*secret*> parameters from actions invoked from the shell are called
- relatively from the current selected directory.
-
-teardown
-: Remove permanently a local copy of a repository, very dangerous if you
- have just a single copy.
-
-check
-: Run maintenance checks in a keyring.
-
-# SECRET MANIPULATION ACTIONS
-
-All secret manipulation actions operate upon a *secret* which is the pathname
-of an encrypted file relative to the keyring with optional `.asc` extension.
-
-If the `.asc` extension is omitted, keyringer will add it at the end of the
-pathname.
-
-No spaces are allowed in the secret name.
-
-Secret manipulation actions do not commit changes into the secret repository.
-Instead, the user has to manually commit the changes using the git wrapper
-action.
-
-append <*secret*>
-: Append contents into a secret by decrypting the secret, appending lines read
- from the standard input and encrypting again.
-
-append-batch <*secret*>
-: Append contents into a secret, batch mode.
-
-decrypt <*secret*>
-: Decrypts a secret into standard output.
-
-del <*secret*>
-: Removes a secret using Git. After deleting a secret a git commit and push is still
- needed to update remote repositories.
-
- Please note that this command **does not remove the secret from the Git history.**
- To completely remove a file from a keyring, you should also rewrite the Git
- history yourself.
-
-delete <*secret*>
-: Alias for *del* action.
-
-rm <*secret*>
-: Alias for *del* action.
-
-cp <*secret*> <*dest*>
-: Copy a secret.
-
-mv <*secret*> <*dest*>
-: Rename a secret.
-
-edit <*secret*>
-: Edit a secret by temporarily decrypting it, opening the decrypted copy into the
- text editor defined by the *$EDITOR* environment variable and then re-encrypting it.
-
- Please make sure to use an *$EDITOR* which does not leak data like history buffers.
- Keyringer tries to detect if *$EDITOR* is set to VIM and disables the *.viminfo* file.
-
-encrypt <*secret*> [*file*]
-: Encrypts content from standard input or *file* into *secret* pathname. No spaces
- are supported in the *secret* name. If *file* is actually a folder, keyringer
- will recursivelly encrypt all it's contents.
-
-encrypt-batch <*secret*> [*file*]
-: Encrypt content, batch mode. Behavior is identical to *encrypt* action, but less
- verbose. Useful inside scripts.
-
-genkeys <*ssh*|*gpg*|*x509*|*x509-self*|*ssl*|*ssl-self*> [*options*]
-: Wrapper to generate encryption key-pairs, useful for automated key deployment.
-
-genpair <*ssh*|*gpg*|*x509*|*x509-self*|*ssl*|*ssl-self*> [*options*]
-: Alias for *genkeys* action.
-
-open <*secret*>
-: Decrypt a secret into a temporary folder and open it using xdg-open, which
- tries to figure out the file type and then calls the associated application.
-
- After the application exits, keyringer encrypts the temporary decrypted file
- again into the secret file and deletes the temporary file.
-
-pwgen <*secret*> [*size*]
-: Generates a random passphrase and stores into *secret* pathname with optional
- entropy size in bytes. Default size is 20.
-
- Passphrases will be slightly bigger than size due to base64 conversion.
-
- With this action you can generate and store a passphrase without need to see
- it. Combined with clip or sclip action provides an hygienic way to handle
- secrets.
-
-recrypt <*secret*>
-: Re-encrypts a secret by decrypting it and encrypting it again. Useful when users are added
- into the recipient configuration. If no *secret* is given, all secrets in the repository
- are re-encrypted.
-
-clip <*secret*>
-: Copy the first line of a secret to the clipboard, following password-store convention.
-
-xclip <*secret*>
-: Alias to clip action.
-
-sclip <*secret*>
-: Same as clip action, but sleeps five seconds, overwrite clipboard and exit. If xdotool
- is available, it also switches to the next window using the alt+Tab shortcut. This action
- is useful to be invoked by a custom key combo in a window manager so it becomes easy to
- provide keyringer managed passphrases to other applications such as a web browser.
-
-# CONFIGURATION ACTIONS
-
-commands
-: List available actions, useful for shell completion and syntax check.
-
-options <*ls*|*edit*|*add*>
-: List, edit or add miscellaneous *repository* options.
-
- Repository options are settings which are saved in the repository as a *global*
- configuration stanza for a given keyring, shared by all users with access to
- the repository.
-
- Options are written using the *KEY=VALUE* syntax. All lines starting with the
- hash (#) character are interpreted as comments.
-
-preferences <*ls*|*edit*|*add*>
-: List, edit or add *user* preferences for a given repository.
-
- User preferences are settings which are saved in the user's keyringer folder
- (`$HOME/.keyringer/`), and not shared with the other users.
-
- Preferences are written using the *KEY=VALUE* syntax. All lines starting with the
- hash (#) character are interpreted as comments.
-
-usage
-: Show keyringer usage information.
-
-help
-: Alias for usage action.
-
-recipients <*ls*|*edit*> <*recipients-file*>
-: List, create or edit recipients configuration.
-
- Recipients files are lists of OpenPGP public key fingerprints which are used
- by keyringer when encrypting secrets and associated with email aliases.
-
- Keyringer uses a default recipients file, but specifying a custom *recipients-file*
- pathname will override this default.
-
- For instance, if a user encrypts a secret to a file in the keyring repository's
- *accounting* folder, a *recipients-file* under *accounting* will be used.
- Encrypting a secret into *accounting/bank-accounts* will result in a file
- `$KEYRING_FOLDER/keys/accounting/bank-accounts.asc` encrypted using the public
- keys listed in the config file`$KEYRING_FOLDER/config/recipients/accounting`.
-
- Each line in a recipients file has entries in the format
- 'john@doe.com XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', where *john@doe.com*
- is an alias for the OpenPGP public key whose fingerprint is
- *XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.*
-
- All lines starting with the hash (#) character are interpreted as comments.
-
- Parameters to the *recipients* action are:
-
- *ls*
- : List all existing recipients files.
-
- *edit*
- : Create or edit a recipients file.
-
- Editing happens using the editor specified by the `$EDITOR`
- environment variable.
-
- The required parameter *recipients-file* is interpreted relative
- to the `$KEYRING_FOLDER/config/recipients/` folder.
-
-# FILES
-
-$HOME/.keyringer/config
-: User's main configuration file used to map alias names to keyrings.
-
-$HOME/.keyringer/*keyring*
-: User preferences for the keyringer aliased *keyring* keyring.
-
-$KEYRING_FOLDER/config/options
-: Custom keyring options which will be applied for all users that use
- the keyringer repository.
-
-# LIMITATIONS
-
-Keyringer currently has the following limitations:
-
-1. Metadata is not encrypted, meaning that an attacker with access to a keyringer
- repository can discover all public key IDs used for encryption, and which secrets
- are encrypted to which keys. This can be improved in the future by encrypting
- the repository configuration with support for the *--hidden-recipient* GnuPG
- option and encrypted repository options.
-
- To mitigate that, it's possible to keep the repo just atop of an encrypted and
- non-public place.
-
-2. History is not rewritten by default when secrets are removed from a keyringer
- repository. After a secret is removed with the *del* action, it will still be
- available in the repository history even after a commit. This is by design
- for the following reasons:
-
- - It's the default behavior of the Git content tracker. Forcing the
- deletion by default could break the expected behavior and hence limit
- the repository's backup features, which can be helpful if someone
- mistakenly overwrites a secret.
-
- - History rewriting cannot be considered a security measure against the
- unauthorized access to a secret as it doesn't automatically update all
- working copies of the repository.
-
- In the case that the secret is a passphrase, the recommended measure
- against such attacks is to change the passphrase, making useless the
- knowledge of the previous secret.
-
- Users wishing to edit their repository history should proceed manually
- using the *git* action.
-
-3. Keyringer does not protect data which were not encrypted to a keyring,
- so be careful when decrypting secrets and writing them to the disk or
- other storage media.
-
- Pay special attention that keyringer outputs data to stdout, which could
- be easily spotted by any agent looking directly at you computer screen.
-
- The xclip action even copies secret data to the X11 clipboard, which can
- be accessed by any application running in the user's X11 session, so use
- this feature carefully.
-
-# SEE ALSO
-
-The *README* file distributed with Keyringer contains full documentation.
-
-The Keyringer source code and all documentation may be downloaded from
-<https://keyringer.pw>.