3 .\" Manual for the key-management configuration files
5 .\" (c) 2008 Straylight/Edgeware
8 .\"----- Licensing notice ---------------------------------------------------
10 .\" This file is part of Trivial IP Encryption (TrIPE).
12 .\" TrIPE is free software: you can redistribute it and/or modify it under
13 .\" the terms of the GNU General Public License as published by the Free
14 .\" Software Foundation; either version 3 of the License, or (at your
15 .\" option) any later version.
17 .\" TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 .\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 .\" FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 .\" You should have received a copy of the GNU General Public License
23 .\" along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
25 .\"--------------------------------------------------------------------------
26 .so ../common/defs.man \" @@@PRE@@@
28 .\"--------------------------------------------------------------------------
29 .TH tripe-keys.conf 5tripe "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
31 .\"--------------------------------------------------------------------------
34 tripe-keys.conf \- configuration file format for tripe-keys
36 .\"--------------------------------------------------------------------------
43 file is a simple line-based configuration file read by
45 Lines may be empty (consist only of whitespace), be comments (first
46 non-whitespace character is
56 consists of alphanumeric characters and hyphens. Values may contain
57 substitutions, of the form
59 which are replaced by the value assigned to
63 have significance to the
65 program: these are described below. Many have sensible defaults.
66 .SS "The tripe-keys.master file"
67 The client configuration file is built by applying substitutions to the
69 file. The following tokens are substituted:
72 The sequence number of the most recently-added signing key.
75 The fingerprint of the signing key identified by
76 .BR @MASTER-SEQUENCE@ .
77 .SS "Master repository parameters"
80 The base URL of the key repository (usually with a trailing
82 Typically, this will be something like
83 .RB http://www.distorted.org.uk/vpn/ .
87 The basename for the repository archive. Default is
88 .BR tripe-keys.tar.gz .
91 The basename template for repository signatures. Default is
92 .BR tripe-keys.sig-<SEQ> .
95 portion, if any, is replaced by the sequence number of the key which
99 The URL for the key repository tarball. Default is the concatenation of
105 The URL template for key repository signatures. Default is the
112 The sequence number of the master authority's current signing key. No
113 default. Usually set up automatically.
115 .I master-keygen-flags
116 Additional options for generating master keys. Default is
120 Additional attributes to set on the master key,
123 pairs separated by spaces.
127 The fingerprint of the current master signing key. No default. Usually
128 set up automatically.
131 A shell command to run by
133 after it has successfully written the
138 .B ": run upload hook"
140 .SS "Crypto parameters"
143 Key-exchange algorithm to use. Either
145 (integer Diffie-Hellman)
148 (elliptic curves). The default is
153 Key generation algorithm name to pass to
155 when generating keys.
175 Key generation algorithm name to pass to
177 when generating the parameters key.
199 when generating the parameters key. Default depends on
209 dh \-LS \-b3072 \-B256
218 Additional attributes to set on the parameters
219 (and therefore copied to peer keys),
222 pairs separated by spaces.
233 dh serialization=constlen
234 ec serialization=constlen
241 Expiry time for generated keys. Default is
245 Hashing algorithm to use. Default is
249 The bulk crypto transform to use.
255 Message authentication algorithm to use.
266 v0 \fIhash\fB-hmac/\fIhalfhashlen
267 iiv \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
279 Mask-generation algorithm to use. Default is
281 This is probably a good choice.
285 Symmetric encryption scheme to use.
304 Signature scheme to use. Must be one of those recognized by
325 Key-generation algorithm for signing key. Default depends on
348 Signature-key generation parameters. Default depends on
358 dh \-LS \-b3072 \-B256
368 Hash function to use for making signatures. Default is
372 Oldest time we should consider a signed archive to be fresh. Default is
374 meaning that all signatures are fresh.
377 Expiry time for master signing key. Default is
381 Hash function to use for key fingerprinting. Default is
383 .SS "Master maintenance parameters"
386 Local base directory for the repository files. This probably ought to
389 character. Unexpected files in this directory will be removed by the
394 Filename for local repository tarball. Default is the concatenation of
400 Template for repository signatures. Default is the concatenation of
406 Filename for local repository configuration file. Default is
407 .IB basedir /tripe-keys.conf \fR.
411 .B "tripe-keys check"
412 command will warn about keys which will in less than
416 .\"--------------------------------------------------------------------------
422 .\"--------------------------------------------------------------------------
425 Mark Wooding, <mdw@distorted.org.uk>
427 .\"----- That's all, folks --------------------------------------------------