3 .\" Manual for the key-management configuration files
5 .\" (c) 2008 Straylight/Edgeware
8 .\"----- Licensing notice ---------------------------------------------------
10 .\" This file is part of Trivial IP Encryption (TrIPE).
12 .\" TrIPE is free software; you can redistribute it and/or modify
13 .\" it under the terms of the GNU General Public License as published by
14 .\" the Free Software Foundation; either version 2 of the License, or
15 .\" (at your option) any later version.
17 .\" TrIPE is distributed in the hope that it will be useful,
18 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
19 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 .\" GNU General Public License for more details.
22 .\" You should have received a copy of the GNU General Public License
23 .\" along with TrIPE; if not, write to the Free Software Foundation,
24 .\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26 .\"--------------------------------------------------------------------------
27 .so ../common/defs.man \" @@@PRE@@@
29 .\"--------------------------------------------------------------------------
30 .TH tripe-keys.conf 5tripe "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
32 .\"--------------------------------------------------------------------------
35 tripe-keys.conf \- configuration file format for tripe-keys
37 .\"--------------------------------------------------------------------------
44 file is a simple line-based configuration file read by
46 Lines may be empty (consist only of whitespace), be comments (first
47 non-whitespace character is
57 consists of alphanumeric characters and hyphens. Values may contain
58 substitutions, of the form
60 which are replaced by the value assigned to
64 have significance to the
66 program: these are described below. Many have sensible defaults.
67 .SS "The tripe-keys.master file"
68 The client configuration file is built by applying substitutions to the
70 file. The following tokens are substituted:
73 The sequence number of the most recently-added signing key.
76 The fingerprint of the signing key identified by
77 .BR @MASTER-SEQUENCE@ .
78 .SS "Master repository parameters"
81 The base URL of the key repository (usually with a trailing
83 Typically, this will be something like
84 .RB http://www.distorted.org.uk/vpn/ .
88 The basename for the repository archive. Default is
89 .BR tripe-keys.tar.gz .
92 The basename template for repository signatures. Default is
93 .BR tripe-keys.sig-<SEQ> .
96 portion, if any, is replaced by the sequence number of the key which
100 The URL for the key repository tarball. Default is the concatenation of
106 The URL template for key repository signatures. Default is the
113 The sequence number of the master authority's current signing key. No
114 default. Usually set up automatically.
116 .I master-keygen-flags
117 Additional options for generating master keys. Default is
121 Additional attributes to set on the master key,
124 pairs separated by spaces.
128 The fingerprint of the current master signing key. No default. Usually
129 set up automatically.
132 A shell command to run by
134 after it has successfully written the
139 .B ": run upload hook"
141 .SS "Crypto parameters"
144 Key-exchange algorithm to use. Either
146 (integer Diffie-Hellman)
149 (elliptic curves). The default is
154 Key generation algorithm name to pass to
156 when generating keys.
176 Key generation algorithm name to pass to
178 when generating the parameters key.
200 when generating the parameters key. Default depends on
210 dh \-LS \-b3072 \-B256
219 Additional attributes to set on the parameters
220 (and therefore copied to peer keys),
223 pairs separated by spaces.
234 dh serialization=constlen
235 ec serialization=constlen
242 Expiry time for generated keys. Default is
246 Hashing algorithm to use. Default is
250 The bulk crypto transform to use.
256 Message authentication algorithm to use.
267 v0 \fIhash\fB-hmac/\fIhalfhashlen
268 iiv \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
280 Mask-generation algorithm to use. Default is
282 This is probably a good choice.
286 Symmetric encryption scheme to use.
305 Signature scheme to use. Must be one of those recognized by
326 Key-generation algorithm for signing key. Default depends on
349 Signature-key generation parameters. Default depends on
359 dh \-LS \-b3072 \-B256
369 Hash function to use for making signatures. Default is
373 Oldest time we should consider a signed archive to be fresh. Default is
375 meaning that all signatures are fresh.
378 Expiry time for master signing key. Default is
382 Hash function to use for key fingerprinting. Default is
384 .SS "Master maintenance parameters"
387 Local base directory for the repository files. This probably ought to
390 character. Unexpected files in this directory will be removed by the
395 Filename for local repository tarball. Default is the concatenation of
401 Template for repository signatures. Default is the concatenation of
407 Filename for local repository configuration file. Default is
408 .IB basedir /tripe-keys.conf \fR.
412 .B "tripe-keys check"
413 command will warn about keys which will in less than
417 .\"--------------------------------------------------------------------------
423 .\"--------------------------------------------------------------------------
426 Mark Wooding, <mdw@distorted.org.uk>
428 .\"----- That's all, folks --------------------------------------------------