GENKEY: Add --no-expire.

[pwmd.git] / doc / pwmd.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.4.90, http://www.gnu.org/software/texinfo/ -->
<head>
<title>PWMD Manual</title>

<meta name="description" content="PWMD Manual">
<meta name="keywords" content="PWMD Manual">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="#Top" rel="start" title="Top">
<link href="#SEC_Contents" rel="contents" title="Table of Contents">
<link href="dir.html#Top" rel="up" title="(dir)">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>


</head>

<body lang="en">
<h1 class="settitle" align="center">PWMD Manual</h1>




<a name="Top"></a>
<div class="header">
<p>
Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<h1 class="node-heading">Top</h1>
 
 
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#Introduction" accesskey="1">Introduction</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Overview of pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Access-Control" accesskey="2">Access Control</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">ACL of a single XML element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Cache-Control" accesskey="3">Cache Control</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Key and data file cache handling.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Invoking" accesskey="4">Invoking</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Command line options.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Configuration" accesskey="5">Configuration</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file options.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Commands" accesskey="6">Commands</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Protocol commands.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Status-Messages" accesskey="7">Status Messages</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Status lines and their meaning.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Target-Attribute" accesskey="8">Target Attribute</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">A kind of symbolic link.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Other-Attributes" accesskey="9">Other Attributes</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Other attributes specially handled by pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Key-Expiration">Key Expiration</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">What to do when a key expires.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Signals">Signals</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Signals known to pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Concept-Index">Concept Index</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Index of concepts.
</td></tr>
</table>

<hr>
<a name="Introduction"></a>
<div class="header">
<p>
Next: <a href="#Access-Control" accesskey="n" rel="next">Access Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Overview-of-pwmd"></a>
<h2 class="chapter">1 Overview of <code>pwmd</code></h2>






<p><em>Password Manager Daemon</em> (or <code>pwmd</code>) is a server that
applications connect to and send commands to put and get data
that is stored in an OpenPGP encrypted XML document. It mimics a
filesystem in a lot of ways including per element ACL&rsquo;s, but also has
the advantage of remote connections over TLS and a document cache. The
document cache is needed for a data file encrypted with keys stored on a
smartcard.
</p>
<p>The server uses the Assuan protocol (See <a href="http://www.gnupg.org/documentation/manuals/assuan/Implementation.html#Implementation">(assuan)Implementation</a>) which
is the same used by <code>gpg-agent</code>, <code>pinentry</code> and
<code>scdaemon</code>. It also uses <cite>libgpg-error</cite> for error reporting with
<var>GPG_ERR_SOURCE_USER_1</var> being the error source.
</p>

<p>The XML document uses the following DTD:
</p>
<div class="example">
<pre class="example">    &lt;?xml version=&quot;1.0&quot;?&gt;
    &lt;!DOCTYPE pwmd [
    &lt;!ELEMENT pwmd (element*)&gt;
    &lt;!ATTLIST element _name CDATA #REQUIRED&gt;
    ]&gt;
</pre></div>

<p>The <code>pwmd</code> element is the document root node while all other elements
of the document have the name <code>element</code> with an attribute <code>_name</code>
whose value uniquely identifies the element at the current element tree depth.
It is done this way to avoid XML parsing errors for commonly used
characters.  A URL for example would be an invalid XML element
since the URI contains a &lsquo;<samp>:</samp>&rsquo; which is also the XML
namespace separator.
</p>
<p>As mentioned, an element name must be unique for the current element tree
depth. You cannot have two elements containing the same <code>_name</code> attribute
value. <code>pwmd</code> will stop searching for an element of an <em>element
path</em> at the first match then continue searching for the next element of the
element path beginning at the child node of the matched element.
</p>
<p>An <em>element path</em> is a <code>TAB</code> delimited character string where each
<code>TAB</code> separates each element in the path.  For example, the element path
<code>a<code>TAB</code>b<code>TAB</code>c</code> has the following XML document structure:
</p>
<div class="example">
<pre class="example">   &lt;pwmd&gt;
            &lt;element _name=&quot;a&quot;&gt;
                &lt;element _name=&quot;b&quot;&gt;
                    &lt;element _name=&quot;c&quot;&gt;
                        [... element value or content ...]
                    &lt;/element&gt;
                &lt;/element&gt;
            &lt;/element&gt;
        &lt;/pwmd&gt;
</pre></div>

<p>The only restriction of an element name is that it contain no whitespace
characters.
</p>
<hr>
<a name="Access-Control"></a>
<div class="header">
<p>
Next: <a href="#Cache-Control" accesskey="n" rel="next">Cache Control</a>, Previous: <a href="#Introduction" accesskey="p" rel="prev">Introduction</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Access-Control-1"></a>
<h2 class="chapter">2 Access Control</h2>

<p>Like a filesystem has an ACL to grant or limit access to directories or
files for a specific user or group, <code>pwmd</code> can limit a local user,
group or a TLS connection to a specific element path. This is done by
storing an ACL in the element attribute <var>_acl</var>. Its syntax is
similar to the <var>allowed</var> configuration parameter (see <a href="#Configuration">Configuration</a>)
with the exception that a TLS fingerprint hash is prefixed with a
<code>#</code>.
</p>
<p>Access is denied for all users that are not in the ACL of an element
with the exception of an invoking user (see the <var>invoking_user</var>). The
connected client must be in the ACL for each element in an element path
otherwise an error is returned.  As an example:
</p>
<div class="example">
<pre class="example">&lt;element _name=&quot;test&quot; _acl=&quot;username,-@wheel,root,#ABCDEF&quot;&gt;
        &lt;element _name=&quot;child&quot;/&gt;
&lt;/element&gt;
</pre></div>

<p>The user <code>username</code> would be allowed access to the <code>test</code> element
but not if it is a member of the <code>wheel</code> group although, the <code>root</code>
user, who may be a member of the <code>wheel</code> group, is allowed. The SHA-256
TLS fingerprint hash <code>#ABCDEF</code> is also allowed.  No users other than an
<var>invoking_user</var> are allowed access to the <code>child</code> element.
</p>
<p>The first user listed in the ACL is considered the owner of the
element. This determines which clients may modify an <var>_acl</var> attribute and
store content for an element. An <var>invoking_user</var> may always modify an 
ACL.
</p>
<hr>
<a name="Cache-Control"></a>
<div class="header">
<p>
Next: <a href="#Invoking" accesskey="n" rel="next">Invoking</a>, Previous: <a href="#Access-Control" accesskey="p" rel="prev">Access Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Cache-Control-1"></a>
<h2 class="chapter">3 Cache Control</h2>



<p>While <code>pwmd</code> has its own cache settings for an XML document,
<code>gpg-agent</code> has cache settings for the keys used for crypto operations
of a data file. Specifically the <samp>ignore-cache-for-signing</samp>,
<samp>default-cache-ttl</samp> and <samp>max-cache-ttl</samp> options. These
<code>gpg-agent</code> options may need to be adjusted depending on your usage
needs. For example, the <code>OPEN</code> command may not require a passphrase to
open a data file do to the gpg-agent having a cached key even though the
<code>ISCACHED</code> command returns an error indicating the data file is not
cached; which usually means a passphrase would be required.
</p>
<p>A copy-on-write operation is done for commands that modify the document; the
client that invoked the command will work on a copy of the in-memory document.
The first client to <code>SAVE</code> the changes to disk will require other clients
to reopen the data file do to the checksum being updated.
</p>
<hr>
<a name="Invoking"></a>
<div class="header">
<p>
Next: <a href="#Configuration" accesskey="n" rel="next">Configuration</a>, Previous: <a href="#Cache-Control" accesskey="p" rel="prev">Cache Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Invoking-pwmd"></a>
<h2 class="chapter">4 Invoking <code>pwmd</code></h2>


<p><code>pwmd</code> uses GpgME for encryption, decryption and signing of the
OpenPGP data file. GpgME itself makes use of <code>gpg</code> for these
operations so some configuration of <code>gpg</code> may be needed.  Pwmd spawns
a separate <code>gpg-agent</code> process when <var>gpg_homedir</var>
(see <a href="#Configuration">Configuration</a>) is not set to an instance of an already running
gpg-agent. Any <code>gpg</code> configuration options that you need set should be
put in <var>~/.pwmd/.gnupg/gpg.conf</var> or the <var>gpg.conf</var> file located in
<var>gpg_homedir</var>. The same is true for the <var>gpg-agent.conf</var> file to set
any required <code>gpg-agent</code> options.
</p>
<p>It is recommended to pass the <samp>--allow-preset-passphrase</samp>
option to <code>gpg-agent</code>. Doing so allows <code>pwmd</code>
cache pushing on startup. It is also recommended to pass the
<samp>--allow-loopback-pinentry</samp> to <code>gpg-agent</code> (this is the default
as of gnupg-2.1.15). This option allows a passphrase to be inquired from
<code>pwmd</code> when a <code>pinentry</code> is unavailable to the client
(see <a href="#TLS">TLS</a>).
</p>
<p>If you would like to use a keypair from your default gnupg keyring located in
~/.gnupg, but would still like to use a separate gpg-agent process (the
default), you would need to first export the public key from the default
keyring then import it into the keyring that pwmd uses. You can do this by
first exporting the public key, then use the <samp>--homedir ~/.pwmd/.gnupg</samp>
option of <code>gpg</code> to import it into the new keyring. For private keys,
you would need to copy the private key associated with the exported public key
to <var>~/.pwmd/.gnupg/private-keys-v1.d</var>. If the private key is stored on
a smartcard you can also use the <code>KEYINFO --learn</code> command
(see <a href="#KEYINFO">KEYINFO</a>).
</p>
<a name="index-Running-pwmd"></a>
<p><code>pwmd</code> is executed as follows: 
</p> 
<div class="example">
<pre class="example">pwmd <var>options</var> [ file1 ] [ &hellip; ]
</pre></div>

<p>Non-option arguments are data files to cache upon startup. When the data file
requires a passphrase for decryption a <code>pinentry</code> will prompt either
on the current TTY or from an X11 window when the <code>DISPLAY</code>
environment variable is set. See <a href="#Pinentry">Pinentry</a>.
</p>
<a name="index-Options"></a>
<a name="index-Arguments"></a>
<p>The following command line options are supported:
</p>
<a name="index-Getting-help"></a>
<dl compact="compact">
<dt>&lsquo;<samp>--debug protocol:level[,protocol:level]</samp>&rsquo;</dt>
<dd><p>Enable debugging output. This option can output sensitive information such as
passphrases and secret keys so care should be taken where the output gets
written to. The <var>protocol</var> is a single character representing the protocol
to log. Use <code>a</code> for <code>libassuan</code> with <var>level</var> being one or more
character flags: <code>i</code> for init, <code>x</code> for context, <code>e</code> for engine,
<code>d</code> for data, <code>s</code> for system IO or <code>c</code> for control.  To debug
<code>gpgme</code> use <code>g</code> as the <var>protocol</var> with <var>level</var> being an
integer from <code>1</code> to <code>9</code>. To enable <acronym>TLS</acronym> debugging output
use <code>t</code> as the <var>protocol</var> with <var>level</var> being an integer from
<code>1</code> to <code>9</code>. A value over <code>10</code> will enable all <acronym>TLS</acronym>
debugging output with <code>1</code> being the default.
</p>
</dd>
<dt>&lsquo;<samp>--homedir directory</samp>&rsquo;</dt>
<dd><p>The root directory where pwmd will store its data and temporary files.  The
default is <samp>~/.pwmd</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--rcfile, -f rcfile</samp>&rsquo;</dt>
<dd><p>Specify an alternate configuration file. The default is
<samp>~/.pwmd/config</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--kill</samp>&rsquo;</dt>
<dd><p>Terminate an existing instance of pwmd. The process to terminate is determined
from the <samp>--homedir</samp> and <samp>--rcfile</samp> options.
</p>
</dd>
<dt>&lsquo;<samp>--import, -I filename|-</samp>&rsquo;</dt>
<dd><p>Imports the XML <var>filename</var>. When <var>filename</var> is <code>-</code> the
XML is read from stdin. The XML file should be in conformance to
the <code>pwmd</code> DTD (see <a href="#Introduction">Introduction</a>). You will be prompted for
a passphrase to encrypt with.  The output is written to the filename specified
with <samp>--outfile</samp>. To make use of the imported data, place the output
file in <samp>~/.pwmd/data</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--output, -o filename|-</samp>&rsquo;</dt>
<dd><p>When importing, write the encrypted data file to <var>filename</var>. When
<var>filename</var> is <code>-</code> output will be written to stdout.
</p>
</dd>
<dt>&lsquo;<samp>--passphrase-file, -k filename&quot;</samp>&rsquo;</dt>
<dd><p>Obtain the passphrase to use when importing from the specified <var>filename</var>.
</p>
</dd>
<dt>&lsquo;<samp>--keyid fingerprint[,fingerprint]</samp>&rsquo;</dt>
<dd><p>Specifies the fingerprint of the encryption key to use as a recipient when
importing. When not specified a new key-pair will be created.
</p>
</dd>
<dt>&lsquo;<samp>--sign-keyid fingerprint</samp>&rsquo;</dt>
<dd><p>Specifies the fingerprint of the signing key to use for signing of the data
file when importing.  When not specified the signing key of the generated
key-pair or the signing key of the <samp>--keyid</samp> option will be used.
</p>
</dd>
<dt>&lsquo;<samp>--symmetric, -s</samp>&rsquo;</dt>
<dd><p>Use symmetric or conventional encryption rather than pubic key encryption when
importing.  Signing is still possible by using the <samp>--sign-keyid</samp>
option. By default no signing is done when specifying this option.
</p>
</dd>
<dt>&lsquo;<samp>--userid string</samp>&rsquo;</dt>
<dd><p>When importing, the user id used to identify the generated key. This should be
in the form <code>First Last &lt;email&gt;</code>.
</p>
</dd>
<dt>&lsquo;<samp>--algo string</samp>&rsquo;</dt>
<dd><p>When importing, the algorithm to use when generating the new key pair. The
default is determined by <code>gpg</code>.
</p>
</dd>
<dt>&lsquo;<samp>--expire seconds</samp>&rsquo;</dt>
<dd><p>When importing, the time, in seconds since epoch, when the generated key will
expire. Specifying <code>0</code> will never expire the key. The default is three
years.
</p>
</dd>
<dt>&lsquo;<samp>--no-passphrase</samp>&rsquo;</dt>
<dd><p>When importing, don&rsquo;t require a passphrase for the generated key.
</p>
</dd>
<dt>&lsquo;<samp>--disable-dump</samp>&rsquo;</dt>
<dd><p>Disable the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and <code>DUMP</code>
protocol commands (see <a href="#Commands">Commands</a>). This overrides any
<var>disable_list_and_dump</var> configuration parameter (see <a href="#Configuration">Configuration</a>).
</p>
</dd>
<dt>&lsquo;<samp>--no-fork, -n</samp>&rsquo;</dt>
<dd><p>Run as a foreground process and do not fork into the background.
</p>
</dd>
<dt>&lsquo;<samp>--ignore, --force</samp>&rsquo;</dt>
<dd><p>Ignore cache pushing failures on startup. By default, <code>pwmd</code> will exit
if an error occurred do to an invalid passphrase or other error.
</p>
</dd>
<dt>&lsquo;<samp>--version</samp>&rsquo;</dt>
<dd><p>Show the version, copyright and compile time features and exit.
</p>
</dd>
<dt>&lsquo;<samp>--help</samp>&rsquo;</dt>
<dd><p>Print a summary of options.
</p></dd>
</dl>


<hr>
<a name="Configuration"></a>
<div class="header">
<p>
Next: <a href="#TLS" accesskey="n" rel="next">TLS</a>, Previous: <a href="#Invoking" accesskey="p" rel="prev">Invoking</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="pwmd-configuration-file-options"></a>
<h2 class="chapter">5 <code>pwmd</code> configuration file options</h2>


<p>If no configuration file is specified with the <code>pwmd</code> <samp>-f</samp>
command line option, <code>pwmd</code> will read <samp>~/.pwmd/config</samp> if it
exists, and if not, will use defaults.  Blank lines and lines beginning with
&lsquo;<samp>#</samp>&rsquo; are ignored. Some parameters may have data file specific settings by
placing them in a file section. A file section is declared by surrounding the
filename with braces (i.e., &lsquo;<samp>[filename]</samp>&rsquo;).  Global options may be
specified in the <code>global</code> section &lsquo;<samp>e.g., [global]</samp>&rsquo; and are the
default options for new or unspecified file sections.
</p>
<p>A tilde <code>~</code> will be expanded to the home directory of the user starting
<code>pwmd</code> when contained in a parameter whose value is a filename.
</p>
<a name="index-Reloading-the-configuration-file"></a>
<p>The configuration file can be reloaded by sending the <em>SIGHUP</em> signal to
a <code>pwmd</code> process. Some security sensitive settings may not be changed
until <code>pwmd</code> is restarted.
</p>
<a name="index-Global-configuration-options"></a>
<p>The following options are only for use in the <code>[global]</code> section:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>socket_path = /path/to/socket</samp>&rsquo;</dt>
<dd><p>Listen on the specified socket. The default is <samp>~/.pwmd/socket</samp>.
</p>
</dd>
<dt>&lsquo;<samp>socket_perms = octal_mode</samp>&rsquo;</dt>
<dd><p>Permissions to set after creating the socket. This will override any
<cite>umask(2)</cite> setting.
</p>
</dd>
<dt>&lsquo;<samp>backlog = integer</samp>&rsquo;</dt>
<dd><p>The number of connections to queue. When this limit is reached then new
connections will be refused. The default is <code>128</code>.
</p>
</dd>
<dt>&lsquo;<samp>invoking_user = [-!]user,[-!]@group,[-!]#SHA-256,...</samp>&rsquo;</dt>
<dd><p>This parameter is not to be confused with setuid or setguid upon startup. It&rsquo;s
syntax is the same as the <code>allowed</code> parameter except that it is a list of
local usernames, group names and TLS fingerprint hashes that may use the
<code>XPATH</code>, <code>XPATHATTR</code> and <code>DUMP</code> commands (except when
disabled with the <code>disable_list_and_dump</code> option) and also who may modify
elements that have no <code>_acl</code> attribute or is not listed in an
<code>_acl</code>. It is similar to the system administrator root account but for a
data file and element paths (see <a href="#Access-Control">Access Control</a>). The default is the user
the executes <code>pwmd</code>.
</p>
</dd>
<dt>&lsquo;<samp>invoking_file = filename</samp>&rsquo;</dt>
<dd><p>A file containing one entry per line. An entry has the same syntax as the
<code>invoking_user</code> parameter. When both this parameter and the
<code>invoking_user</code> parameter are specified then the <code>invoking_user</code>
parameter will behave as if the <code>invoking_file</code> entries have been
appended to the <code>invoking_user</code> parameter value.
</p>
</dd>
<dt>&lsquo;<samp>strict_open = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, disallow creation of a new data file when the current client
is not an <code>invoking_user</code>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>strict_kill = boolean</samp>&rsquo;</dt>
<dd><p>When <code>false</code>, the <code>KILL</code> command (see <a href="#KILL">KILL</a>) will allow killing
another client that is not of the same <code>UID</code> or TLS fingerprint of
the current client and when not an <code>invoking_user</code>. The default us
<code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>allowed = [-!]user,[-!]@group,[+,][-!]#SHA-256,...</samp>&rsquo;</dt>
<dd><p>A comma separated list of local user names, group names or TLS
fingerprint SHA-256 hashes (in the case of a remote client) who are
allowed to connect.  Groups should be prefixed with a &lsquo;<samp>@</samp>&rsquo;. When not
specified only the user who started <code>pwmd</code> may connect. A username,
group name or hash may also be prefixed with a <code>-</code> or <code>!</code> to prevent
access to a specific user or group in the list. The order of the list is
important since a user may be a member of multiple groups.
</p>
<p>This parameter may also be specified in a filename section to allow or deny a
client to <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) a data file. It also affects the cache
commands <code>CLEARCACHE</code> (see <a href="#CLEARCACHE">CLEARCACHE</a>) and <code>CACHETIMEOUT</code>
(see <a href="#CACHETIMEOUT">CACHETIMEOUT</a>). When not specified in a file section, any user that
can connect may also open any filename (provided they can decrypt it).
</p>
<p>The following example would deny all users in group <code>primary</code> but
allow <code>username</code> who may be a member of <code>primary</code>. It will also
allow any TLS client except for the client with TLS fingerprint hash
<code>#ABCDEF</code>:
</p>
<div class="example">
<pre class="example">allowed=-@primary,username,+,!#ABCDEF
</pre></div>

</dd>
<dt>&lsquo;<samp>allowed_file = filename</samp>&rsquo;</dt>
<dd><p>A file containing one entry per line. An entry has the same syntax as the
<code>allowed</code> parameter. When both this parameter and the <code>allowed</code>
parameter are specified then the <code>allowed_file</code> entries will be appended
to the <code>allowed</code> parameter value.
</p>
</dd>
<dt>&lsquo;<samp>encrypt_to = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code> and <code>SAVE</code>&rsquo;ing a data file, allow <code>gpg</code> to
append it&rsquo;s configured key to the list of recipients. The default is
<code>false</code> meaning that only keys specified with <code>SAVE</code>
<samp>--keyid</samp> are recipients.
</p>
</dd>
<dt>&lsquo;<samp>always_trust = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, allow encrypting to untrusted recipients or public
encryption keys. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>gpg_homedir = path</samp>&rsquo;</dt>
<dd><p>The location where <code>gpg</code> will store its public and private keys and
configuration. The default is <samp>HOMEDIR/.gnupg</samp> where <var>HOMEDIR</var> is the
default (<samp>~/.pwmd</samp>) or the value specified on the command line with the
<samp>--homedir</samp> command line option (see <a href="#Invoking">Invoking</a>). If you want to use
your standard <code>gpg</code> keyring then set this to <samp>~/.gnupg</samp>. Note
that a new instance of <code>gpg-agent</code> will be started when <em>not</em>
using the standard keyring and that any configuration options for
<code>gpg-agent</code> will need to placed in
<samp>HOMEDIR/.gnupg/gpg-agent.conf</samp>.
</p>
</dd>
<dt>&lsquo;<samp>disable_mlockall = boolean</samp>&rsquo;</dt>
<dd><p>When set to <code>false</code>, <cite>mlockall(2)</cite> will be called on startup.  This
will use more physical memory but may also be more secure since no swapping to
disk will occur. The default is <var>true</var>. If possible, use an encrypted swap
file or partition and leave this set to <var>true</var>.
</p>
</dd>
<dt>&lsquo;<samp>log_path = /path/to/logfile</samp>&rsquo;</dt>
<dd><p>Logs informational messages to the specified file. The default is
<samp>~/.pwmd/log</samp>.
</p>
</dd>
<dt>&lsquo;<samp>enable_logging = boolean</samp>&rsquo;</dt>
<dd><p>Enable or disable logging to <var>log_path</var>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>log_keepopen = boolean</samp>&rsquo;</dt>
<dd><p>When set to <code>false</code>, the log file specified with <var>log_path</var> will be
closed after writing each line. The default is <code>true</code>.
</p>
</dd>
<dt>&lsquo;<samp>syslog = boolean</samp>&rsquo;</dt>
<dd><p>Enable logging to <cite>syslog(8)</cite> with facility <em>LOG_DAEMON</em> and priority
<em>LOG_INFO</em>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>log_level = level</samp>&rsquo;</dt>
<dd><p>When <code>0</code>, only connections and errors are logged. When <code>1</code>, data
file recipients and signers are logged during <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) and
<code>SAVE</code> (see <a href="#SAVE">SAVE</a>). When <code>2</code>, client commands are also logged.
The default is <code>0</code>.
</p>
</dd>
<dt>&lsquo;<samp>kill_scd = boolean</samp>&rsquo;</dt>
<dd><p>Kill <code>scdaemon</code> after each <code>OPEN</code> (see <a href="#OPEN">OPEN</a>),
<code>SAVE</code> (see <a href="#SAVE">SAVE</a>) or <code>PASSWD</code> (see <a href="#PASSWD">PASSWD</a>) command. The
default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>disable_list_and_dump = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and
<code>DUMP</code> protocol commands (see <a href="#Commands">Commands</a>) will be disabled.
</p>
</dd>
<dt>&lsquo;<samp>cache_push = file1,file2</samp>&rsquo;</dt>
<dd><p>A comma separated list of filenames that will be pushed into the file cache
upon startup. <code>pwmd</code> will prompt for the passphrase for each file
unless specified with <var>passphrase_file</var> parameter in a matching file
section.
</p>
</dd>
<dt>&lsquo;<samp>priority = integer</samp>&rsquo;</dt>
<dd><p>The priority, or niceness, of the server. The default is inherited from the
parent process.
</p>
</dd>
<dt>&lsquo;<samp>lock_timeout = integer</samp>&rsquo;</dt>
<dd><p>The default timeout in tenths of a second before giving up waiting for a file
lock and returning an error. The default is <code>50</code>.
</p>
</dd>
</dl>

<a name="index-Data-file-configuration-options"></a>
<p>The following options are defaults for new files when specified in the
&lsquo;<samp>global</samp>&rsquo; section. When placed in a data file section they are options
specific to that data file only.
</p>
<dl compact="compact">
<dt>&lsquo;<samp>require_save_key = boolean</samp>&rsquo;</dt>
<dd><p>Require the passphrase needed for signing before writing changes of the
document to disk reguardless of the key cache status. The default is
<code>true</code>. This option compliments <code>gpg-agent</code> option
<samp>--ignore-cache-for-signing</samp> and is used as a fail-safe.
</p>
</dd>
<dt>&lsquo;<samp>backup = boolean</samp>&rsquo;</dt>
<dd><p>Whether to create a backup of the data file when saving. The backup filename
has the <samp>.backup</samp> extension appended to the opened file. The default is
<code>true</code>. 
</p>
</dd>
<dt>&lsquo;<samp>cache_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to keep the cache entry for this file. If <code>-1</code>, the
cache entry is kept forever. If <code>0</code>, each time an encrypted file is
<code>OPEN</code>ed (see <a href="#OPEN">OPEN</a>) a passphrase will be required. The default
is <code>600</code> or 10 minutes.
</p>
</dd>
<dt>&lsquo;<samp>xfer_progress = bytes</samp>&rsquo;</dt>
<dd><p>Commands that send data lines to the client will also send the <code>XFER</code>
status message (see <a href="#Status-Messages">Status Messages</a>) after the specified number of bytes
have been sent. The number of bytes is rounded to <var>ASSUAN_LINELENGTH</var> or
<code>1002</code> bytes. The default is <code>8196</code>.
</p>
</dd>
<dt>&lsquo;<samp>passphrase_file = /path/to/filename</samp>&rsquo;</dt>
<dd><p>Obtain the passphrase to open the data file from <var>filename</var>. If specified
in the &lsquo;<samp>global</samp>&rsquo; section then the <var>passphrase_file</var> is a default for
all data files. Note that if a client changes the passphrase for this data
file then the <var>passphrase_file</var> will need to be updated with the new
passphrase.
</p>
</dd>
<dt>&lsquo;<samp>recursion_depth = integer</samp>&rsquo;</dt>
<dd><p>The maximum number of times to resolve a <code>target</code> attribute for an
element in an element path (see <a href="#Target-Attribute">Target Attribute</a>). An error is returned
when this value is exceeded.  The default is <code>100</code> but can be disabled by
setting to <code>0</code> (<em>not recommended</em>).
</p>
</dd>
<dt>&lsquo;<samp>allowed = [-]user,[-]@group,[!]#TLSFINGERPRINT,...</samp>&rsquo;</dt>
<dd><p>Same parameter value as the <code>allowed</code> parameter mentioned above in
the &lsquo;<samp>[global]</samp>&rsquo; section but grants or denies a client from opening a
specific data file. The default is to allow any client that is allowed to
connect.
</p>
</dd>
</dl>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#TLS" accesskey="1">TLS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Remote connections over TLS.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Pinentry" accesskey="2">Pinentry</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file and defaults.
</td></tr>
</table>

<hr>
<a name="TLS"></a>
<div class="header">
<p>
Next: <a href="#Pinentry" accesskey="n" rel="next">Pinentry</a>, Previous: <a href="#Configuration" accesskey="p" rel="prev">Configuration</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Configuring-remote-connections-over-TLS_002e"></a>
<h2 class="chapter">6 Configuring remote connections over TLS.</h2>
<p>Remote connections can also be made to <code>pwmd</code> over TLS.
Authentication is done by using X.509 client certificates that are signed with
the same Certificate Authority (CA) as the server certificate.
</p>
<p>The CA certificate is expected to be found in
<samp>~/.pwmd/ca-cert.pem</samp> while the <code>pwmd</code> server certificate and key
file should be put in <samp>~/.pwmd/server-cert.pem</samp> and
<samp>~/.pwmd/server-key.pem</samp>, respectively.
</p>
<p>See the documentation of <code>certtool</code> or <code>openssl</code> for details
about creating self-signed certificates.
</p>
<p>The following TLS configuration options are available:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>enable_tcp = boolean</samp>&rsquo;</dt>
<dd><p>Whether to enable TCP/TLS server support. If enabled, both TCP and the local
unix domain socket will listen for connections. The default is
<code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_port = integer</samp>&rsquo;</dt>
<dd><p>The TCP port to listen on when <var>enable_tcp</var> is <code>true</code>. The default is
<code>6466</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_bind = string</samp>&rsquo;</dt>
<dd><p>The internet protocol to listen with. Must be one of <code>ipv4</code>, <code>ipv6</code>
or <code>any</code> to listen for both IPv4 and IPv6 connections. The default is
<code>any</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_interface = string</samp>&rsquo;</dt>
<dd><p>Only useful if running as root.
</p>
</dd>
<dt>&lsquo;<samp>tls_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to wait for a read() or write() call on a
TLS client file descriptor to complete before returning an
error. The default is <var>300</var>.
</p>
</dd>
<dt>&lsquo;<samp>keepalive_interval = seconds</samp>&rsquo;</dt>
<dd><p>Send a keepalive status message to an idle remote client.  An idle
client is one that is not in a command. The purpose of this status
message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is <code>60</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_require_key = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, require the remote client to provide the passphrase to open
a data file even if the file is cached.  This option is a default for all
files when specified in the &lsquo;<samp>[global]</samp>&rsquo; section. The default is
<code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>tls_cipher_suite = string</samp>&rsquo;</dt>
<dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
information about the format of this string. The default is
<code>SECURE256:SECURE192:SECURE128:-VERS-SSL3.0:-VERS-TLS1.0</code>.
</p>
</dd>
<dt>&lsquo;<samp>tls_dh_params_file = filename</samp>&rsquo;</dt>
<dd><p>The PEM encoded filename containing DH parameters. If not specified
then DH algorithms will not be available to the client. See the
<code>openssl dhparam</code> or <code>certtool</code> manual pages for details about
generating this file.
</p>
<p>Note that SIGHUP will not reload this file once TLS support has been enabled.
You will need to restart <code>pwmd</code> for changes to take effect.
</p></dd>
</dl>

<hr>
<a name="Pinentry"></a>
<div class="header">
<p>
Next: <a href="#Commands" accesskey="n" rel="next">Commands</a>, Previous: <a href="#TLS" accesskey="p" rel="prev">TLS</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Pinentry-configuration"></a>
<h2 class="chapter">7 Pinentry configuration</h2>

<p>The <code>pinentry</code> program is used to prompt the user for passphrase
input or as a confirmation dialog; it needs to know where to prompt for
the input, beit from a terminal or an X11 display.
</p>
<p>It is the responsibility of the client to tell <code>pinentry</code> about the
terminal or X11 display before requiring the input. This is done with the
<code>OPTION</code> command (see <a href="#OPTION">OPTION</a>) to either set or unset needed
<code>pwmd</code> environment variables and by using the
<code>gpg-connect-agent</code> program. Please read it&rsquo;s documentation about the
<em>UPDATESTARTUPTTY</em> command.
</p>
<hr>
<a name="Commands"></a>
<div class="header">
<p>
Next: <a href="#Status-Messages" accesskey="n" rel="next">Status Messages</a>, Previous: <a href="#Pinentry" accesskey="p" rel="prev">Pinentry</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Protocol-commands-and-their-syntax"></a>
<h2 class="chapter">8 Protocol commands and their syntax</h2>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#ATTR" accesskey="1">ATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Modifying element attributes.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#CACHETIMEOUT" accesskey="2">CACHETIMEOUT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Setting the cache timeout.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#CLEARCACHE" accesskey="3">CLEARCACHE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Removing a cache entry.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#COPY" accesskey="4">COPY</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Copying an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DELETE" accesskey="5">DELETE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Deleting an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DELETEKEY" accesskey="6">DELETEKEY</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Deleting a key from the key ring.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DUMP" accesskey="7">DUMP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Showing the XML document.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GENKEY" accesskey="8">GENKEY</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Generating a new key.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GET" accesskey="9">GET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Getting the content of an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GETCONFIG">GETCONFIG</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Obtaining a configuration value.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GETINFO">GETINFO</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Obtaining server and client information.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#HELP">HELP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Showing available commands.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#IMPORT">IMPORT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Creating elements from XML.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#ISCACHED">ISCACHED</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Testing cache status.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#KEYINFO">KEYINFO</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Showing keys used for the current data file.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#KILL">KILL</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Terminating another client.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LIST">LIST</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Showing document elements.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LISTKEYS">LISTKEYS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Listing keys in the key ring.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LOCK">LOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Locking the current data file.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LS">LS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Showing available data files.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#MOVE">MOVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Moving an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#NOP">NOP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Testing the connection.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#OPEN">OPEN</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Opening a data file.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#OPTION">OPTION</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Setting various client parameters.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#PASSWD">PASSWD</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Changing the passphrase for a key.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#REALPATH">REALPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Resolving an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#RENAME">RENAME</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Renaming an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#RESET">RESET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Resetting the client state.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#SAVE">SAVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Saving document changes to disk.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#STORE">STORE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Modifying the content of an element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#UNLOCK">UNLOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Removing a data file lock.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#XPATH">XPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Modifying more than one element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#XPATHATTR">XPATHATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Modifying more than one element&rsquo;s attributes.
</td></tr>
</table>
<hr>
<a name="ATTR"></a>
<div class="header">
<p>
Next: <a href="#CACHETIMEOUT" accesskey="n" rel="next">CACHETIMEOUT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Modifying-element-attributes_002e"></a>
<h2 class="chapter">9 Modifying element attributes.</h2>
<a name="index-ATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">ATTR [--inquire] SET|GET|DELETE|LIST [&lt;attribute&gt;] element[&lt;TAB&gt;child[..]] ..
</pre></div>

<dl compact="compact">
<dt>ATTR SET attribute element[&lt;TAB&gt;child[..]] [value]</dt>
<dd><p>Stores or updates an <var>attribute</var> name and optional <var>value</var> of an 
element. When no <var>value</var> is specified any existing value will be removed.
<br><br>
</p></dd>
<dt>ATTR DELETE attribute element[&lt;TAB&gt;child[..]]</dt>
<dd><p>Removes an attribute from an element. If <var>attribute</var> is <code>_name</code> 
or <code>target</code> an error is returned. Use the <code>DELETE</code> command 
(see <a href="#DELETE">DELETE</a>) instead.
<br><br>
</p></dd>
<dt>ATTR LIST element[&lt;TAB&gt;child[..]]</dt>
<dd><p>Retrieves a newline separated list of attributes names and values 
from the specified element. Each attribute name and value is space delimited.
<br><br>
</p></dd>
<dt>ATTR GET attribute element[&lt;TAB&gt;child[..]]</dt>
<dd><p>Retrieves the value of an <var>attribute</var> from an element.
</p></dd>
</dl>
<br><br>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
<br><br>
See <a href="#Target-Attribute">Target Attribute</a>, for details about this special attribute and also 
see <a href="#Other-Attributes">Other Attributes</a> for other attributes that are handled specially 
by <code>pwmd</code>.
</p>

<hr>
<a name="CACHETIMEOUT"></a>
<div class="header">
<p>
Next: <a href="#CLEARCACHE" accesskey="n" rel="next">CLEARCACHE</a>, Previous: <a href="#ATTR" accesskey="p" rel="prev">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Setting-the-cache-timeout_002e"></a>
<h2 class="chapter">10 Setting the cache timeout.</h2>
<a name="index-CACHETIMEOUT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">CACHETIMEOUT &lt;seconds&gt;
</pre></div>

<p>The time in <var>seconds</var> until the currently opened data file will be 
removed from the cache. <code>-1</code> will keep the cache entry forever, 
<code>0</code> will require the passphrase for each <code>OPEN</code> command 
(see <a href="#OPEN">OPEN</a>) or <code>SAVE</code> (see <a href="#SAVE">SAVE</a>) command. See <a href="#Configuration">Configuration</a>, 
and the <code>cache_timeout</code> parameter.
</p>

<hr>
<a name="CLEARCACHE"></a>
<div class="header">
<p>
Next: <a href="#COPY" accesskey="n" rel="next">COPY</a>, Previous: <a href="#CACHETIMEOUT" accesskey="p" rel="prev">CACHETIMEOUT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Removing-a-cache-entry_002e"></a>
<h2 class="chapter">11 Removing a cache entry.</h2>
<a name="index-CLEARCACHE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">CLEARCACHE [&lt;filename&gt;]
</pre></div>

<p>Clears a file cache entry for all or the specified <var>filename</var>. Note that 
this will also clear any <code>gpg-agent</code> cached keys which may cause 
problems if another data file shares the same keys as <var>filename</var>.
<br><br>
When clearing all cache entries a permissions test is done against the 
current client based on the <var>allowed</var> configuration parameter in a 
<var>filename</var> section. Both a cache entry may be cleared and an error 
returned depending on cached data files and client permissions.
</p>

<hr>
<a name="COPY"></a>
<div class="header">
<p>
Next: <a href="#DELETE" accesskey="n" rel="next">DELETE</a>, Previous: <a href="#CLEARCACHE" accesskey="p" rel="prev">CLEARCACHE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Copying-an-element_002e"></a>
<h2 class="chapter">12 Copying an element.</h2>
<a name="index-COPY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">COPY [--inquire] source[&lt;TAB&gt;child[..]] dest[&lt;TAB&gt;child[..]]
</pre></div>

<p>Copies the entire element tree starting from the child node of the source 
element, to the destination element path. If the destination element path 
does not exist then it will be created; otherwise it is overwritten.
<br><br>
Note that attributes from the source element are merged into the 
destination element when the destination element path exists. When an 
attribute of the same name exists in both the source and destination 
elements then the destination attribute will be updated to the source 
attribute value.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="DELETE"></a>
<div class="header">
<p>
Next: <a href="#DELETEKEY" accesskey="n" rel="next">DELETEKEY</a>, Previous: <a href="#COPY" accesskey="p" rel="prev">COPY</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Deleting-an-element_002e"></a>
<h2 class="chapter">13 Deleting an element.</h2>
<a name="index-DELETE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DELETE [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Removes the specified element path and all of its children. This may break 
an element with a <code>target</code> attribute (see <a href="#Target-Attribute">Target Attribute</a>) that 
refers to this element or any of its children.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="DELETEKEY"></a>
<div class="header">
<p>
Next: <a href="#DUMP" accesskey="n" rel="next">DUMP</a>, Previous: <a href="#DELETE" accesskey="p" rel="prev">DELETE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Deleting-a-key-from-the-key-ring_002e"></a>
<h2 class="chapter">14 Deleting a key from the key ring.</h2>
<a name="index-DELETEKEY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DELETEKEY &lt;keyid&gt;
</pre></div>

<p>Deletes the secret key associated with key <var>keyid</var> from the keyring. 
Note that when the key is deleted, the current or other data files using 
this key will no longer be able to be opened.
</p>

<hr>
<a name="DUMP"></a>
<div class="header">
<p>
Next: <a href="#GENKEY" accesskey="n" rel="next">GENKEY</a>, Previous: <a href="#DELETEKEY" accesskey="p" rel="prev">DELETEKEY</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Showing-the-XML-document_002e"></a>
<h2 class="chapter">15 Showing the XML document.</h2>
<a name="index-DUMP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DUMP
</pre></div>

<p>Shows the in memory <abbr>XML</abbr> document with indenting. See <a href="#XPATH">XPATH</a>, for 
dumping a specific node.
</p>

<hr>
<a name="GENKEY"></a>
<div class="header">
<p>
Next: <a href="#GET" accesskey="n" rel="next">GET</a>, Previous: <a href="#DUMP" accesskey="p" rel="prev">DUMP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Generating-a-new-key_002e"></a>
<h2 class="chapter">16 Generating a new key.</h2>
<a name="index-GENKEY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GENKEY --subkey-of=fpr | --userid=&quot;str&quot; [--no-expire | --expire=N] [--algo=&quot;str&quot;] [--no-passphrase] [--usage=&quot;default|sign|encrypt&quot;]
</pre></div>

<p>Generates a new key based on option arguments. One of 
<samp>--subkey-of</samp> or <samp>--userid</samp> is 
required. The <samp>--subkey-of</samp> option will generate a subkey for the key 
of the specified fingerprint.
</p>

<hr>
<a name="GET"></a>
<div class="header">
<p>
Next: <a href="#GETCONFIG" accesskey="n" rel="next">GETCONFIG</a>, Previous: <a href="#GENKEY" accesskey="p" rel="prev">GENKEY</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Getting-the-content-of-an-element_002e"></a>
<h2 class="chapter">17 Getting the content of an element.</h2>
<a name="index-GET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GET [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Retrieves the content of the specified element. The content is returned 
with a data response.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="GETCONFIG"></a>
<div class="header">
<p>
Next: <a href="#GETINFO" accesskey="n" rel="next">GETINFO</a>, Previous: <a href="#GET" accesskey="p" rel="prev">GET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Obtaining-a-configuration-value_002e"></a>
<h2 class="chapter">18 Obtaining a configuration value.</h2>
<a name="index-GETCONFIG-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GETCONFIG [filename] &lt;parameter&gt;
</pre></div>

<p>Returns the value of a <code>pwmd</code> configuration <var>parameter</var> with a 
data response. If no file has been opened then the value for <var>filename</var> 
or the default from the <var>global</var> section will be returned. If a file 
has been opened and no <var>filename</var> is specified, the value previously 
set with the <code>OPTION</code> command (see <a href="#OPTION">OPTION</a>) will be returned.
</p>

<hr>
<a name="GETINFO"></a>
<div class="header">
<p>
Next: <a href="#HELP" accesskey="n" rel="next">HELP</a>, Previous: <a href="#GETCONFIG" accesskey="p" rel="prev">GETCONFIG</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Obtaining-server-and-client-information_002e"></a>
<h2 class="chapter">19 Obtaining server and client information.</h2>
<a name="index-GETINFO-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GETINFO [--data] [--verbose] CACHE | CLIENTS | PID | USER | LAST_ERROR | VERSION
</pre></div>

<p>Get server and other information. The information is returned via a status 
message (see <a href="#Status-Messages">Status Messages</a>) unless otherwise noted or <samp>--data</samp> 
is specified.
<br><br>
<var>CACHE</var> returns the number of cached documents.
<br><br>
<var>CLIENTS</var> returns the number of 
connected clients via a status message or a list of connected clients when 
the <samp>--verbose</samp> parameter is used (implies <samp>--data</samp>). A 
verbose line of a client list contains 
space delimited 
fields: the thread ID, client name, opened file (<code>/</code> if none opened), 
IP address if remote, file lock status, whether the current client is self 
or not, client state (see below), 
user ID or TLS fingerprint of the connected client, username if the 
client is a local one else <code>-</code>, and finally the time stamp of when the 
client connected.
<br><br>
Client state <code>0</code> is an unknown client state, state <code>1</code> indicates 
the client has connected but hasn&rsquo;t completed initializing, state <code>2</code> 
indicates that the client is idle, state <code>3</code> means the 
client is in a command and state <code>4</code> means the client is disconnecting. 
<br><br>
<var>PID</var> returns the process ID number of the server via a data response.
<br><br>
<var>VERSION</var> returns the server version number and compile-time features 
via a data response with each being space delimited.
<br><br>
<var>LAST_ERROR</var> returns a detailed description of the last failed command 
via a data response, when available.
<br><br>
<var>USER</var> returns the username or <abbr>TLS</abbr> hash of the connected client 
via a data response.
</p>

<hr>
<a name="HELP"></a>
<div class="header">
<p>
Next: <a href="#IMPORT" accesskey="n" rel="next">IMPORT</a>, Previous: <a href="#GETINFO" accesskey="p" rel="prev">GETINFO</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Showing-available-commands_002e"></a>
<h2 class="chapter">20 Showing available commands.</h2>
<a name="index-HELP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">HELP [--html] [&lt;COMMAND&gt;]
</pre></div>

<p>Show available commands or command specific help text.
<br><br>
The <samp>--html</samp> option will output the help text in HTML format.
</p>

<hr>
<a name="IMPORT"></a>
<div class="header">
<p>
Next: <a href="#ISCACHED" accesskey="n" rel="next">ISCACHED</a>, Previous: <a href="#HELP" accesskey="p" rel="prev">HELP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Creating-elements-from-XML_002e"></a>
<h2 class="chapter">21 Creating elements from XML.</h2>
<a name="index-IMPORT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">IMPORT [--root=element[&lt;TAB&gt;child[..]]]
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
<br><br>
Like the <code>STORE</code> command (see <a href="#STORE">STORE</a>), but the <var>content</var> 
argument is raw <abbr>XML</abbr> data. The content is created as a child of 
the element path specified with the <samp>--root</samp> option or at the 
document root when not specified. Existing elements of the same name will 
be overwritten.
<br><br>
The content must begin with an <abbr>XML</abbr> element node. See <a href="#Introduction">Introduction</a>, 
for details.
</p>

<hr>
<a name="ISCACHED"></a>
<div class="header">
<p>
Next: <a href="#KEYINFO" accesskey="n" rel="next">KEYINFO</a>, Previous: <a href="#IMPORT" accesskey="p" rel="prev">IMPORT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Testing-cache-status_002e"></a>
<h2 class="chapter">22 Testing cache status.</h2>
<a name="index-ISCACHED-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">ISCACHED [--lock] [--agent [--sign]] &lt;filename&gt;
</pre></div>

<p>Determines the file cache status of the specified <var>filename</var>. 
The default is to test whether the filename is cached in memory. Passing 
option <samp>--agent</samp> will test the <code>gpg-agent</code> cache for at most 
one cached key used for opening the data file (see <a href="#OPEN">OPEN</a>). To test if 
a signing key is cached, pass <samp>--sign</samp> along with <samp>--agent</samp>. 
Both the <samp>--agent</samp> and <samp>--sign</samp> options require an opened data 
file.
<br><br>
An <em>OK</em> response is returned if the specified <var>filename</var> is found 
in the cache. If not found in the cache but exists on the filesystem 
then <code>GPG_ERR_NO_DATA</code> is returned. Otherwise a filesystem error is 
returned.
<br><br>
The <samp>--lock</samp> option will lock the file mutex of <var>filename</var> when 
the file exists; it does not need to be opened nor cached. The lock will be 
released when the client exits or sends the <code>UNLOCK</code> command 
(see <a href="#UNLOCK">UNLOCK</a>). When this option is passed the current data file is closed.
</p>

<hr>
<a name="KEYINFO"></a>
<div class="header">
<p>
Next: <a href="#KILL" accesskey="n" rel="next">KILL</a>, Previous: <a href="#ISCACHED" accesskey="p" rel="prev">ISCACHED</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Showing-keys-used-for-the-current-data-file_002e"></a>
<h2 class="chapter">23 Showing keys used for the current data file.</h2>
<a name="index-KEYINFO-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">KEYINFO [--learn]
</pre></div>

<p>Returns a new line separated list of key ID&rsquo;s that the currently opened 
data file has recipients and signers for. If the key is a signing key it 
will be prefixed with an <code>S</code>. If the file is a new one, or has no 
signers in the case of being symmetrically encrypted, the error code 
<code>GPG_ERR_NO_DATA</code> is returned.
<br><br>
When the <samp>--learn</samp> option is passed, keys on a smartcard will be 
imported.
</p>

<hr>
<a name="KILL"></a>
<div class="header">
<p>
Next: <a href="#LIST" accesskey="n" rel="next">LIST</a>, Previous: <a href="#KEYINFO" accesskey="p" rel="prev">KEYINFO</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Terminating-another-client_002e"></a>
<h2 class="chapter">24 Terminating another client.</h2>
<a name="index-KILL-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">KILL &lt;thread_id&gt;
</pre></div>

<p>Terminates the client identified by <var>thread_id</var> and releases any file 
lock or other resources it has held. See <code>GETINFO</code> (see <a href="#GETINFO">GETINFO</a>) 
for details about listing connected clients. An <code>invoking_user</code> 
(see <a href="#Configuration">Configuration</a>) may kill any client while others may only kill 
clients of the same <code>UID</code> or <abbr>TLS</abbr> fingerprint.
</p>

<hr>
<a name="LIST"></a>
<div class="header">
<p>
Next: <a href="#LISTKEYS" accesskey="n" rel="next">LISTKEYS</a>, Previous: <a href="#KILL" accesskey="p" rel="prev">KILL</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Showing-document-elements_002e"></a>
<h2 class="chapter">25 Showing document elements.</h2>
<a name="index-LIST-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LIST [--inquire] [--recurse] [element[&lt;TAB&gt;child[..]]]
</pre></div>

<p>If no element path is given then a newline separated list of root elements 
is returned with a data response. If given, then children of the specified 
element path are returned.
<br><br>
Each element path 
returned will have zero or more flags appened to it. These flags are 
delimited from the element path by a single space character. A flag itself 
is a single character. Flag <code>P</code> indicates that access to the element 
is denied. Flag <code>+</code> indicates that there are child nodes of 
the current element path. Flag <code>E</code> indicates that an element of the 
element path contained in a <var>target</var> attribute could not be found. Flag 
<code>O</code> indicates that a <var>target</var> attribute recursion limit was reached 
(see <a href="#Configuration">Configuration</a>). Flag <code>T</code>, followed by a single space character, 
then an element path, is the element path of the <var>target</var> attribute 
contained in the current element.
<br><br>
When a specified element path contains an error, beit from the final 
element in the path or any previous element, the path is still shown but 
will contain the error flag for the element with the error. Determining 
the actual element which contains the error is up to the client. This can be 
done by traversing the final element up to parent elements that contain the 
same error flag.
<br><br>
The option <samp>--recurse</samp> may be used to list the entire element tree 
for a specified element path or the entire tree for all root elements.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="LISTKEYS"></a>
<div class="header">
<p>
Next: <a href="#LOCK" accesskey="n" rel="next">LOCK</a>, Previous: <a href="#LIST" accesskey="p" rel="prev">LIST</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Listing-keys-in-the-key-ring_002e"></a>
<h2 class="chapter">26 Listing keys in the key ring.</h2>
<a name="index-LISTKEYS-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LISTKEYS [--secret-only] [pattern[,&lt;pattern&gt;]]
</pre></div>

<p>Returns a new line separated list of key information matching a comma 
separated list of <var>pattern</var>&rsquo;s. When option <samp>--secret-only</samp> is 
specified, only keys matching <var>pattern</var> that also have a secret key 
available will be returned.
</p>

<hr>
<a name="LOCK"></a>
<div class="header">
<p>
Next: <a href="#LS" accesskey="n" rel="next">LS</a>, Previous: <a href="#LISTKEYS" accesskey="p" rel="prev">LISTKEYS</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Locking-the-current-data-file_002e"></a>
<h2 class="chapter">27 Locking the current data file.</h2>
<a name="index-LOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LOCK
</pre></div>

<p>Locks the mutex associated with the opened file. This prevents other clients 
from sending commands to the same opened file until the client 
that sent this command either disconnects or sends the <code>UNLOCK</code> 
command. See <a href="#UNLOCK">UNLOCK</a>.
</p>

<hr>
<a name="LS"></a>
<div class="header">
<p>
Next: <a href="#MOVE" accesskey="n" rel="next">MOVE</a>, Previous: <a href="#LOCK" accesskey="p" rel="prev">LOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Showing-available-data-files_002e"></a>
<h2 class="chapter">28 Showing available data files.</h2>
<a name="index-LS-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LS
</pre></div>

<p>Returns a newline separated list of data files stored in the data directory 
<samp>HOMEDIR/data</samp> (see <a href="#Invoking">Invoking</a>) with a data response.
</p>

<hr>
<a name="MOVE"></a>
<div class="header">
<p>
Next: <a href="#NOP" accesskey="n" rel="next">NOP</a>, Previous: <a href="#LS" accesskey="p" rel="prev">LS</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Moving-an-element_002e"></a>
<h2 class="chapter">29 Moving an element.</h2>
<a name="index-MOVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">MOVE [--inquire] source[&lt;TAB&gt;child[..]] [dest[&lt;TAB&gt;child[..]]]
</pre></div>

<p>Moves the source element path to the destination element path. If the 
destination is not specified then it will be moved to the root node of the 
document. If the destination is specified and exists then it will be 
overwritten; otherwise non-existing elements of the destination element 
path will be created.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="NOP"></a>
<div class="header">
<p>
Next: <a href="#OPEN" accesskey="n" rel="next">OPEN</a>, Previous: <a href="#MOVE" accesskey="p" rel="prev">MOVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Testing-the-connection_002e"></a>
<h2 class="chapter">30 Testing the connection.</h2>
<a name="index-NOP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">NOP
</pre></div>

<p>This command does nothing. It is useful for testing the connection for a 
timeout condition.
</p>

<hr>
<a name="OPEN"></a>
<div class="header">
<p>
Next: <a href="#OPTION" accesskey="n" rel="next">OPTION</a>, Previous: <a href="#NOP" accesskey="p" rel="prev">NOP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Opening-a-data-file_002e"></a>
<h2 class="chapter">31 Opening a data file.</h2>
<a name="index-OPEN-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">OPEN [--lock] &lt;filename&gt;
</pre></div>

<p>Opens <var>filename</var>. When the <var>filename</var> is not found on the 
file-system then a new in-memory document will be created. If the file is 
found, it is looked for in the file cache and when found no passphrase will 
be required to open it. When not cached, <cite>pinentry(1)</cite> will be used to 
retrieve the passphrase for decryption unless <samp>disable-pinentry</samp> 
(see <a href="#OPTION">OPTION</a>) was specified in which case <code>pwmd</code> will 
<em>INQUIRE</em> the client for the passphrase. Note than when configuration 
option <samp>strict_open</samp> is enabled and the client is not an 
<samp>invoking_user</samp>, an error will be returned when the data file does 
not exist.
<br><br>
When the <samp>--lock</samp> option is passed then the file mutex will be 
locked as if the <code>LOCK</code> command (see <a href="#LOCK">LOCK</a>) had been sent after the 
file had been opened.
</p>

<hr>
<a name="OPTION"></a>
<div class="header">
<p>
Next: <a href="#PASSWD" accesskey="n" rel="next">PASSWD</a>, Previous: <a href="#OPEN" accesskey="p" rel="prev">OPEN</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Setting-various-client-parameters_002e"></a>
<h2 class="chapter">32 Setting various client parameters.</h2>
<a name="index-OPTION-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">OPTION &lt;NAME&gt;=[&lt;VALUE&gt;]
</pre></div>

<p>Sets a client option <var>name</var> to <var>value</var>. The value for an option is 
kept for the duration of the connection with the exception of the 
<code>pinentry</code> options which are defaults for all future connections 
(see <a href="#Pinentry">Pinentry</a>). When <var>value</var> is empty the option is unset.
<br><br>
</p><dl compact="compact">
<dt>DISABLE-PINENTRY</dt>
<dd><p>Disable use of <code>pinentry</code> for passphrase retrieval. When <code>1</code>, a 
server inquire is sent to the client to obtain the passphrase. This option 
may be set as needed before the <code>OPEN</code> (see <a href="#OPEN">OPEN</a>), <code>PASSWD</code> 
(see <a href="#PASSWD">PASSWD</a>) and <code>SAVE</code> (see <a href="#SAVE">SAVE</a>) commands. Set to <code>0</code> 
to use a <code>pinentry</code>.
<br><br>
</p></dd>
<dt>DISPLAY</dt>
<dd><p>Set or unset the X11 display to use when prompting for a passphrase.
<br><br>
</p></dd>
<dt>TTYNAME</dt>
<dd><p>Set the terminal device path to use when prompting for a passphrase.
<br><br>
</p></dd>
<dt>TTYTYPE</dt>
<dd><p>Set the terminal type for use with <samp>TTYNAME</samp>.
<br><br>
</p></dd>
<dt>NAME</dt>
<dd><p>Associates the thread ID of the connection with the specified textual 
representation. Useful for debugging log messages. May not contain whitespace.
<br><br>
</p></dd>
<dt>LOCK-TIMEOUT</dt>
<dd><p>When not <code>0</code>, the duration in tenths of a second to wait for the file 
mutex which has been locked by another thread to be released before returning 
an error. When <code>-1</code> the error will be returned immediately.
<br><br>
</p></dd>
<dt>CLIENT-STATE</dt>
<dd><p>When set to <code>1</code> then client state status messages for other clients are 
sent to the current client. The default is <code>0</code>.
</p></dd>
</dl>


<hr>
<a name="PASSWD"></a>
<div class="header">
<p>
Next: <a href="#REALPATH" accesskey="n" rel="next">REALPATH</a>, Previous: <a href="#OPTION" accesskey="p" rel="prev">OPTION</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Changing-the-passphrase-for-a-key_002e"></a>
<h2 class="chapter">33 Changing the passphrase for a key.</h2>
<a name="index-PASSWD-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">PASSWD
</pre></div>

<p>Changes the passphrase of the secret key required to open the current 
data file. If the data file is symmetrically encrypted, the error 
<code>GPG_ERR_NOT_SUPPORTED</code> is returned. When symmetrically encrypted, 
the <code>SAVE</code> command (see <a href="#SAVE">SAVE</a>) should be used instead to prevent 
this command saving any unwanted changes to the <abbr>XML</abbr> document.
<br><br>
This command is not available to non-invoking clients 
(see <a href="#Access-Control">Access Control</a>).
</p>

<hr>
<a name="REALPATH"></a>
<div class="header">
<p>
Next: <a href="#RENAME" accesskey="n" rel="next">RENAME</a>, Previous: <a href="#PASSWD" accesskey="p" rel="prev">PASSWD</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Resolving-an-element_002e"></a>
<h2 class="chapter">34 Resolving an element.</h2>
<a name="index-REALPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">REALPATH [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Resolves all <code>target</code> attributes of the specified element path and 
returns the result with a data response. See <a href="#Target-Attribute">Target Attribute</a>, for details.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="RENAME"></a>
<div class="header">
<p>
Next: <a href="#RESET" accesskey="n" rel="next">RESET</a>, Previous: <a href="#REALPATH" accesskey="p" rel="prev">REALPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Renaming-an-element_002e"></a>
<h2 class="chapter">35 Renaming an element.</h2>
<a name="index-RENAME-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">RENAME [--inquire] element[&lt;TAB&gt;child[..]] &lt;value&gt;
</pre></div>

<p>Renames the specified <var>element</var> to the new <var>value</var>. If an element of 
the same name as the <var>value</var> already exists it will be overwritten.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="RESET"></a>
<div class="header">
<p>
Next: <a href="#SAVE" accesskey="n" rel="next">SAVE</a>, Previous: <a href="#RENAME" accesskey="p" rel="prev">RENAME</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Resetting-the-client-state_002e"></a>
<h2 class="chapter">36 Resetting the client state.</h2>
<a name="index-RESET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">RESET
</pre></div>

<p>Closes the currently opened file but keeps any previously set client options 
(see <a href="#OPTION">OPTION</a>).
</p>

<hr>
<a name="SAVE"></a>
<div class="header">
<p>
Next: <a href="#STORE" accesskey="n" rel="next">STORE</a>, Previous: <a href="#RESET" accesskey="p" rel="prev">RESET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Saving-document-changes-to-disk_002e"></a>
<h2 class="chapter">37 Saving document changes to disk.</h2>
<a name="index-SAVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">SAVE [--sign-keyid=[&lt;fpr&gt;]] [--symmetric | --keyid=&lt;fpr&gt;[,..] | --inquire-keyid]
</pre></div>

<p>Writes the in-memory <abbr>XML</abbr> document to disk. The file written to is the 
file that was opened when using the <code>OPEN</code> command (see <a href="#OPEN">OPEN</a>).
<br><br>
If the file is a new one, one of <samp>--symmetric</samp>, <samp>--keyid</samp> or
<samp>--inquire-keyid</samp> is required. When not <samp>--symmetric</samp>, option 
<samp>--sign-keyid</samp> is also required, but optional otherwise.
<br><br>
You can encrypt the data file to a recipient other than the one that it 
was originally encrypted with by passing the <samp>--keyid</samp> or 
<samp>--inquire-keyid</samp> option with a comma separated list of 
public encryption key fingerprints as its argument. Use the 
<code>LISTKEYS</code> command (see <a href="#LISTKEYS">LISTKEYS</a>) to show key information by 
pattern. The <samp>--sign-keyid</samp> option may also be used to sign the data 
file with an alternate key by specifying the fingerprint of a signing key. 
Only one signing key is supported unlike the <samp>--keyid</samp> option. 
A passphrase to decrypt the data file 
will be required when one or more of the original encryption keys or signing 
key are not found in either of these two options&rsquo; arguments or when the data 
file is symmetrically encrypted reguardless of the <code>require_save_key</code> 
configuration parameter. The original encryption keys and signing key will be 
used when neither of these options are specified.
<br><br>
The <samp>--keyid</samp> and <samp>--sign-keyid</samp> options are not available 
to non-invoking clients 
(see <a href="#Access-Control">Access Control</a>) when the recipients or signer do not match those 
that were used when the file was <code>OPEN</code>&rsquo;ed.
<br><br>
The <samp>--symmetric</samp> option specifies that a new data file be 
conventionally encrypted. These types of data files do not use a recipient 
public key but may optionally be signed by using the <samp>--sign-keyid</samp> 
option. To remove the signing key from a symmtrically encrypted data file, 
leave the option value empty.
<br><br>
Note that you cannot change encryption schemes once a data file has been 
saved.
</p>

<hr>
<a name="STORE"></a>
<div class="header">
<p>
Next: <a href="#UNLOCK" accesskey="n" rel="next">UNLOCK</a>, Previous: <a href="#SAVE" accesskey="p" rel="prev">SAVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Modifying-the-content-of-an-element_002e"></a>
<h2 class="chapter">38 Modifying the content of an element.</h2>
<a name="index-STORE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">STORE element[&lt;TAB&gt;child[..]]&lt;TAB&gt;[content]
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
<br><br>
Creates a new element path or modifies the <var>content</var> of an existing 
element. If only a single element is specified then a new root element is 
created. Otherwise, elements are <tt class="key">TAB</tt> delimited and the content will be 
set to the final <tt class="key">TAB</tt> delimited element. If no <var>content</var> is 
specified after the final <tt class="key">TAB</tt>, then the content of the existing 
element will be removed; or will be empty if creating a new element.
<br><br>
The only restriction of an element name is that it not contain whitespace 
characters. There is no other whitespace between the <tt class="key">TAB</tt> delimited 
elements. It is recommended that the content of an element be base64 encoded 
when it contains control or <tt class="key">TAB</tt> characters to prevent <abbr>XML</abbr> 
parsing and <code>pwmd</code> syntax errors.
</p>

<hr>
<a name="UNLOCK"></a>
<div class="header">
<p>
Next: <a href="#XPATH" accesskey="n" rel="next">XPATH</a>, Previous: <a href="#STORE" accesskey="p" rel="prev">STORE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Removing-a-data-file-lock_002e"></a>
<h2 class="chapter">39 Removing a data file lock.</h2>
<a name="index-UNLOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">UNLOCK
</pre></div>

<p>Unlocks the file mutex which was locked with the <code>LOCK</code> command or 
a commands&rsquo; <samp>--lock</samp> option (see <a href="#LOCK">LOCK</a>, see <a href="#OPEN">OPEN</a>, 
see <a href="#ISCACHED">ISCACHED</a>).
</p>

<hr>
<a name="XPATH"></a>
<div class="header">
<p>
Next: <a href="#XPATHATTR" accesskey="n" rel="next">XPATHATTR</a>, Previous: <a href="#UNLOCK" accesskey="p" rel="prev">UNLOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Modifying-more-than-one-element_002e"></a>
<h2 class="chapter">40 Modifying more than one element.</h2>
<a name="index-XPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATH [--inquire] &lt;expression&gt;[&lt;TAB&gt;[value]]
</pre></div>

<p>Evaluates an XPath <var>expression</var>. If no <var>value</var> argument is 
specified it is assumed the expression is a request to return a result. 
Otherwise, the result is set to the <var>value</var> argument and the document is 
updated. If there is no <var>value</var> after the <tt class="key">TAB</tt> character, the value 
is assumed to be empty and the document is updated. For example:
</p><br>
<div class="example">
<pre class="example">XPATH //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would clear the content of all <var>password</var> elements in the data file 
while leaving off the trailing <tt class="key">TAB</tt> would return all <var>password</var> 
elements in <abbr>XML</abbr> format.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
<br><br>
See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>

<hr>
<a name="XPATHATTR"></a>
<div class="header">
<p>
Previous: <a href="#XPATH" accesskey="p" rel="prev">XPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Modifying-more-than-one-element_0027s-attributes_002e"></a>
<h2 class="chapter">41 Modifying more than one element&rsquo;s attributes.</h2>
<a name="index-XPATHATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATHATTR [--inquire] SET|DELETE &lt;name&gt; &lt;expression&gt;[&lt;TAB&gt;[&lt;value&gt;]]
</pre></div>

<p>Like the <code>XPATH</code> command (see <a href="#XPATH">XPATH</a>) but operates on element 
attributes and does not return a result. For the <var>SET</var> operation the 
<var>value</var> is optional but the field is required. If not specified then 
the attribute value will be empty. For example:
</p><br>
<div class="example">
<pre class="example">XPATHATTR SET password //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would create a <var>password</var> attribute for each <var>password</var> element 
found in the document. The attribute value will be empty but still exist.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
<br><br>
See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>


<hr>
<a name="Status-Messages"></a>
<div class="header">
<p>
Next: <a href="#Target-Attribute" accesskey="n" rel="next">Target Attribute</a>, Previous: <a href="#Commands" accesskey="p" rel="prev">Commands</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Status-messages-and-their-meanings"></a>
<h2 class="chapter">42 Status messages and their meanings</h2>
<p>Some commands send status messages to inform the client about certain
operations or as a progress indicator.  Status messages begin with a
<code>KEYWORD</code> followed by a status description for status messages that
require it. What status messages are sent, when, and how often may depend on
configuration settings (see <a href="#Configuration">Configuration</a>).
</p>
<table>
<thead><tr><th width="20%">Message</th><th width="25%">Parameters</th><th width="55%">Description</th></tr></thead>
<tr><td width="20%">CACHE
<a name="index-CACHE"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of cached documents. Sent to each client after connecting
(see <a href="#GETINFO">GETINFO</a>) and after every cache modification.</td></tr>
<tr><td width="20%">CLIENTS
<a name="index-CLIENTS"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of connected clients (see <a href="#GETINFO">GETINFO</a>). Sent to each client
when another client either connects or disconnects.</td></tr>
<tr><td width="20%">DECRYPT
<a name="index-DECRYPT"></a></td><td width="25%"></td><td width="55%">Sent to the current client during a decrypt operation. How often this
status message is sent is determined by the <code>keepalive_interval</code>
(see <a href="#Configuration">Configuration</a>) setting.</td></tr>
<tr><td width="20%">ENCRYPT
<a name="index-ENCRYPT"></a></td><td width="25%"></td><td width="55%">Sent to the current client during an encrypt operation. How often this
status message is sent is determined by the <code>keepalive_interval</code>
(see <a href="#Configuration">Configuration</a>) setting.</td></tr>
<tr><td width="20%">GENKEY
<a name="index-GENKEY"></a></td><td width="25%"><code>[&lt;sigkey_fpr&gt; &lt;pubkey_fpr&gt;]</code></td><td width="55%">Sent to the current client during key generation. How often this
status message is sent is determined by the <code>keepalive_interval</code>
(see <a href="#Configuration">Configuration</a>) setting. The <var>sigkey_fpr</var> and <var>pubkey_fpr</var>
parameters are added when key generation has completed.</td></tr>
<tr><td width="20%">INQUIRE_MAXLEN
<a name="index-INQUIRE_005fMAXLEN"></a></td><td width="25%"><code>&lt;bytes&gt;</code></td><td width="55%">Sent to the client from <code>gpg-agent</code> when inquiring data. This
specifies the maximum number of bytes allowed for the client to send and
should not be exceeded.</td></tr>
<tr><td width="20%">KEEPALIVE
<a name="index-KEEPALIVE"></a></td><td width="25%"></td><td width="55%">Sent to each idle client every <var>keepalive_interval</var>
(see <a href="#Configuration">Configuration</a>) seconds.</td></tr>
<tr><td width="20%">LOCKED
<a name="index-LOCKED"></a></td><td width="25%"></td><td width="55%">Sent to the current client when another client is holding the lock for
the mutex associated with a file. How often this status message is sent is
determined by the <code>keepalive_interval</code> (see <a href="#Configuration">Configuration</a>) setting.</td></tr>
<tr><td width="20%">NEWFILE
<a name="index-NEWFILE"></a></td><td width="25%"></td><td width="55%">Sent to the current client when the opened (see <a href="#OPEN">OPEN</a>) file does not
exist on the file-system.</td></tr>
<tr><td width="20%">XFER
<a name="index-XFER"></a></td><td width="25%"><code>&lt;sent&gt; &lt;total&gt;</code></td><td width="55%">Sent to the current client when transferring data. It has two space
delimited arguments. The first being the current amount of bytes transferred
and the other being the total bytes to be transferred.</td></tr>
<tr><td width="20%">STATE
<a name="index-STATE"></a></td><td width="25%"><code>&lt;client_id&gt; &lt;state&gt;</code></td><td width="55%">Sent to each client to indicate that <var>client_id</var> has changed to
<var>state</var> (see <a href="#GETINFO">GETINFO</a> for client states). For a client to receive
another clients state the option <var>CLIENT-STATE</var> must be set.
See <a href="#OPTION">OPTION</a> command.</td></tr>
<tr><td width="20%">EXPIRE
<a name="index-EXPIRE"></a></td><td width="25%"><code>&lt;epoch_seconds&gt; &lt;epoch_future&gt;|0</code></td><td width="55%">Sent to the current client when <code>GET</code> (see <a href="#GET">GET</a>) encounters an
<code>expire</code> (see <a href="#Other-Attributes">Other Attributes</a>) attribute that is in the past or when
<code>STORE</code> (see <a href="#STORE">STORE</a>) updates the <code>expire</code> attribute from the
<code>expire_increment</code> attribute value. The second field will be <code>0</code>
when <code>GET</code> sends this status message.  Otherwise the second field is the
time the next expiry will be.</td></tr>
<tr><td width="20%">PASSPHRASE_HINT
<a name="index-PASSPHRASE_005fHINT"></a></td><td width="25%">&lt;keyid&gt; &lt;userid&gt;</td><td width="55%">Forwarded from <code>GpgME</code>. Contains information that is useful in a
<code>pinentry</code>. Only sent when pinentry is disabled (see <a href="#OPTION">OPTION</a>).</td></tr>
<tr><td width="20%">PASSPHRASE_INFO
<a name="index-PASSPHRASE_005fINFO"></a></td><td width="25%">&lt;flags&gt; ...</td><td width="55%">Forwarded from <code>GpgME</code>. Contains information that is useful in a
<code>pinentry</code>. Only sent when pinentry is disabled (see <a href="#OPTION">OPTION</a>).</td></tr>
<tr><td width="20%">REHANDSHAKE
<a name="index-REHANDSHAKE"></a></td><td width="25%"></td><td width="55%">Sent to each TLS client just before performing a cipher renegotiation
after a SIGHUP signal was received.</td></tr>
</table>

<hr>
<a name="Target-Attribute"></a>
<div class="header">
<p>
Next: <a href="#Other-Attributes" accesskey="n" rel="next">Other Attributes</a>, Previous: <a href="#Status-Messages" accesskey="p" rel="prev">Status Messages</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="The-target-attribute"></a>
<h2 class="chapter">43 The <code>target</code> attribute</h2>
<a name="index-target-attribute"></a>
<p>A <em>case sensitive</em> attribute named <code>target</code> is treated specially
when found in each element of an element path. This attribute, like other
element attributes, is created or modified with the <code>ATTR</code> command
(see <a href="#ATTR">ATTR</a>). The value of this attribute is an existing element path
somewhere in the document.  If you are familiar with XML entities or
maybe the HTML <code>id</code> or <code>target</code> attributes or a symbolic link
in a file-system, you may find this attribute behaves similar to any of those.
</p>
<p>To create a <code>target</code> attribute use the following syntax:
</p>
<div class="example">
<pre class="example">ATTR SET target element[<code>TAB</code>child[..]] element[<code>TAB</code>child[..]]
</pre></div>

<p>Note the single space between the two element paths. The first element path is
where the <code>target</code> attribute will be created. If the element path does
not exist then it will be created.  This is the only time the <code>ATTR</code>
(see <a href="#ATTR">ATTR</a>) command will create elements. The attribute is created in the
final element of the element path.
</p>
<p>The second element path is the destination of where you want the first element
path to resolve to. When an element path is passed as an argument to a
protocol command <code>pwmd</code> looks for a <code>target</code> attribute when
resolving each element and, if found, &quot;jumps&quot; to the attribute value and
continues resolving any remaining elements a commands element path.
</p>
<p>When an element of a element path is removed that a <code>target</code> attribute
resolves to then an error will occur when trying to access that element. You
may need to either update the <code>target</code> attribute value with a new element
path or remove the attribute entirely.
</p>
<p>Clients should be careful of creating <code>target</code> loops, or targets that
resolve to themselves. See the <var>recursion_depth</var> (see <a href="#Configuration">Configuration</a>)
configuration parameter for details.
</p>
<p>The <code>REALPATH</code> command (see <a href="#REALPATH">REALPATH</a>) can be used to show the element
path after resolving all <code>target</code> attributes.
</p>
<p><em>Note that when setting this attribute any children of the element will
be removed.</em>
</p>

<hr>
<a name="Other-Attributes"></a>
<div class="header">
<p>
Next: <a href="#Key-Expiration" accesskey="n" rel="next">Key Expiration</a>, Previous: <a href="#Target-Attribute" accesskey="p" rel="prev">Target Attribute</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Other-special-attributes"></a>
<h2 class="chapter">44 Other special attributes</h2>
<a name="index-special-attributes"></a>
<p>In addition to the <code>target</code> attribute (see <a href="#Target-Attribute">Target Attribute</a>), there
are a few other attributes that are specially handled by <code>pwmd</code>. The
first is the <code>_ctime</code> attribute which is set to the current time when an
element is created. Next is the <code>_mtime</code> attribute which is created when
an element is created and also updated when an element is modified. Both of
these attributes may be removed but the <code>_mtime</code> attribute is
automatically added again since removing an attribute is considered modifying
an element. The <code>_acl</code> attribute controls access to the element, beit
modifying or accessing element content, or descending into child elements.
See <a href="#Access-Control">Access Control</a> for details. The <code>_name</code> attribute contains the
name of an element.
</p>
<p>The above mentioned attributes are considered reserved attribute names.
Reserved attributes are treated specially when a <code>target</code> attribute is
found for the current element. The <code>ATTR LIST</code> command will show these
attribute values for the current element and not the attribute values for the
resolved <code>target</code> element. All other non-reserved attributes for the
resolved <code>target</code> are appended to the <code>ATTR LIST</code> command output.
Other <code>ATTR</code> commands (see <a href="#ATTR">ATTR</a>) behave as usual. You can, for example, <code>ATTR
DELETE</code> a non-reserved attribute for an element that contains a <code>target</code>
attribute. The resolved target elements&rsquo; attribute will be removed rather than
the element containing the <code>target</code> attribute.
</p>
<p>Another specially handled attribute is the <code>expire</code> attribute. This
attribute value, like the <code>_ctime</code> and <code>_mtime</code> attributes, is a
timestamp. But this timestamp is usually in the future and for use with the
<code>GET</code> (see <a href="#GET">GET</a>) and <code>STORE</code> (see <a href="#STORE">STORE</a>) commands. When the
<code>GET</code> command is issued, it checks for an <code>expire</code> attribute an
compares its&rsquo; value with the current time. If the <code>expire</code> timestamp is in
the past then a status message is sent (see <a href="#Status-Messages">Status Messages</a>) to inform the
client that the element content should be updated.  When the content for an
element containing an <code>expire</code> attribute is set when using the
<code>STORE</code> command, the value of the <code>expire_increment</code> attribute is
added to the current time and the <code>expire</code> attribute value is updated.
When no <code>expire_increment</code> attribute is found, no modification is done of
the <code>expire</code> attribute.
</p>

<hr>
<a name="Key-Expiration"></a>
<div class="header">
<p>
Next: <a href="#Signals" accesskey="n" rel="next">Signals</a>, Previous: <a href="#Other-Attributes" accesskey="p" rel="prev">Other Attributes</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Key-Expiration-1"></a>
<h2 class="chapter">45 Key Expiration</h2>
<a name="index-key-expiration"></a>
<p>When a key used for signing a data file has expired there is no indication
until the next <code>SAVE</code> command is sent. The command will fail since one
cannot sign the data file with an expired key. The client will need to either
use a different key for signing by either specifying an existing non-expired
key, generate a new key, or change the expire time of the existing key with
<code>gpg</code>.
</p>
<p>To change the expiration of the currently used signing key with <code>gpg</code>,
use the <code>KEYINFO</code> command (see <a href="#KEYINFO">KEYINFO</a>) to obtain the fingerprint of
the signing key of the current data file, then change the expire time with
<code>gpg</code>:
</p>
<div class="example">
<pre class="example">gpg --homedir ~/.pwmd/.gnupg --edit-key &lt;fingerprint&gt;
</pre></div>

<p>Then use the <code>expire</code> command to set the new key expire date. When
finished, use the <code>save</code> command to save your changes.
</p>

<hr>
<a name="Signals"></a>
<div class="header">
<p>
Next: <a href="#Concept-Index" accesskey="n" rel="next">Concept Index</a>, Previous: <a href="#Key-Expiration" accesskey="p" rel="prev">Key Expiration</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Recognized-signals"></a>
<h2 class="chapter">46 Recognized signals</h2>

<p>Sending the <em>SIGHUP</em> signal to a <code>pwmd</code> process will reload the
configuration file and sending <em>SIGUSR1</em> will clear the entire file
cache.
</p>


<hr>
<a name="Concept-Index"></a>
<div class="header">
<p>
Previous: <a href="#Signals" accesskey="p" rel="prev">Signals</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Concept-Index-1"></a>
<h2 class="unnumbered">Concept Index</h2>


<a name="SEC_Overview"></a>
<h2 class="shortcontents-heading">Short Table of Contents</h2>

<div class="shortcontents">
<ul class="no-bullet">
<li><a name="stoc-Overview-of-pwmd" href="#toc-Overview-of-pwmd">1 Overview of <code>pwmd</code></a></li>
<li><a name="stoc-Access-Control-1" href="#toc-Access-Control-1">2 Access Control</a></li>
<li><a name="stoc-Cache-Control-1" href="#toc-Cache-Control-1">3 Cache Control</a></li>
<li><a name="stoc-Invoking-pwmd" href="#toc-Invoking-pwmd">4 Invoking <code>pwmd</code></a></li>
<li><a name="stoc-pwmd-configuration-file-options" href="#toc-pwmd-configuration-file-options">5 <code>pwmd</code> configuration file options</a></li>
<li><a name="stoc-Configuring-remote-connections-over-TLS_002e" href="#toc-Configuring-remote-connections-over-TLS_002e">6 Configuring remote connections over TLS.</a></li>
<li><a name="stoc-Pinentry-configuration" href="#toc-Pinentry-configuration">7 Pinentry configuration</a></li>
<li><a name="stoc-Protocol-commands-and-their-syntax" href="#toc-Protocol-commands-and-their-syntax">8 Protocol commands and their syntax</a></li>
<li><a name="stoc-Modifying-element-attributes_002e" href="#toc-Modifying-element-attributes_002e">9 Modifying element attributes.</a></li>
<li><a name="stoc-Setting-the-cache-timeout_002e" href="#toc-Setting-the-cache-timeout_002e">10 Setting the cache timeout.</a></li>
<li><a name="stoc-Removing-a-cache-entry_002e" href="#toc-Removing-a-cache-entry_002e">11 Removing a cache entry.</a></li>
<li><a name="stoc-Copying-an-element_002e" href="#toc-Copying-an-element_002e">12 Copying an element.</a></li>
<li><a name="stoc-Deleting-an-element_002e" href="#toc-Deleting-an-element_002e">13 Deleting an element.</a></li>
<li><a name="stoc-Deleting-a-key-from-the-key-ring_002e" href="#toc-Deleting-a-key-from-the-key-ring_002e">14 Deleting a key from the key ring.</a></li>
<li><a name="stoc-Showing-the-XML-document_002e" href="#toc-Showing-the-XML-document_002e">15 Showing the XML document.</a></li>
<li><a name="stoc-Generating-a-new-key_002e" href="#toc-Generating-a-new-key_002e">16 Generating a new key.</a></li>
<li><a name="stoc-Getting-the-content-of-an-element_002e" href="#toc-Getting-the-content-of-an-element_002e">17 Getting the content of an element.</a></li>
<li><a name="stoc-Obtaining-a-configuration-value_002e" href="#toc-Obtaining-a-configuration-value_002e">18 Obtaining a configuration value.</a></li>
<li><a name="stoc-Obtaining-server-and-client-information_002e" href="#toc-Obtaining-server-and-client-information_002e">19 Obtaining server and client information.</a></li>
<li><a name="stoc-Showing-available-commands_002e" href="#toc-Showing-available-commands_002e">20 Showing available commands.</a></li>
<li><a name="stoc-Creating-elements-from-XML_002e" href="#toc-Creating-elements-from-XML_002e">21 Creating elements from XML.</a></li>
<li><a name="stoc-Testing-cache-status_002e" href="#toc-Testing-cache-status_002e">22 Testing cache status.</a></li>
<li><a name="stoc-Showing-keys-used-for-the-current-data-file_002e" href="#toc-Showing-keys-used-for-the-current-data-file_002e">23 Showing keys used for the current data file.</a></li>
<li><a name="stoc-Terminating-another-client_002e" href="#toc-Terminating-another-client_002e">24 Terminating another client.</a></li>
<li><a name="stoc-Showing-document-elements_002e" href="#toc-Showing-document-elements_002e">25 Showing document elements.</a></li>
<li><a name="stoc-Listing-keys-in-the-key-ring_002e" href="#toc-Listing-keys-in-the-key-ring_002e">26 Listing keys in the key ring.</a></li>
<li><a name="stoc-Locking-the-current-data-file_002e" href="#toc-Locking-the-current-data-file_002e">27 Locking the current data file.</a></li>
<li><a name="stoc-Showing-available-data-files_002e" href="#toc-Showing-available-data-files_002e">28 Showing available data files.</a></li>
<li><a name="stoc-Moving-an-element_002e" href="#toc-Moving-an-element_002e">29 Moving an element.</a></li>
<li><a name="stoc-Testing-the-connection_002e" href="#toc-Testing-the-connection_002e">30 Testing the connection.</a></li>
<li><a name="stoc-Opening-a-data-file_002e" href="#toc-Opening-a-data-file_002e">31 Opening a data file.</a></li>
<li><a name="stoc-Setting-various-client-parameters_002e" href="#toc-Setting-various-client-parameters_002e">32 Setting various client parameters.</a></li>
<li><a name="stoc-Changing-the-passphrase-for-a-key_002e" href="#toc-Changing-the-passphrase-for-a-key_002e">33 Changing the passphrase for a key.</a></li>
<li><a name="stoc-Resolving-an-element_002e" href="#toc-Resolving-an-element_002e">34 Resolving an element.</a></li>
<li><a name="stoc-Renaming-an-element_002e" href="#toc-Renaming-an-element_002e">35 Renaming an element.</a></li>
<li><a name="stoc-Resetting-the-client-state_002e" href="#toc-Resetting-the-client-state_002e">36 Resetting the client state.</a></li>
<li><a name="stoc-Saving-document-changes-to-disk_002e" href="#toc-Saving-document-changes-to-disk_002e">37 Saving document changes to disk.</a></li>
<li><a name="stoc-Modifying-the-content-of-an-element_002e" href="#toc-Modifying-the-content-of-an-element_002e">38 Modifying the content of an element.</a></li>
<li><a name="stoc-Removing-a-data-file-lock_002e" href="#toc-Removing-a-data-file-lock_002e">39 Removing a data file lock.</a></li>
<li><a name="stoc-Modifying-more-than-one-element_002e" href="#toc-Modifying-more-than-one-element_002e">40 Modifying more than one element.</a></li>
<li><a name="stoc-Modifying-more-than-one-element_0027s-attributes_002e" href="#toc-Modifying-more-than-one-element_0027s-attributes_002e">41 Modifying more than one element&rsquo;s attributes.</a></li>
<li><a name="stoc-Status-messages-and-their-meanings" href="#toc-Status-messages-and-their-meanings">42 Status messages and their meanings</a></li>
<li><a name="stoc-The-target-attribute" href="#toc-The-target-attribute">43 The <code>target</code> attribute</a></li>
<li><a name="stoc-Other-special-attributes" href="#toc-Other-special-attributes">44 Other special attributes</a></li>
<li><a name="stoc-Key-Expiration-1" href="#toc-Key-Expiration-1">45 Key Expiration</a></li>
<li><a name="stoc-Recognized-signals" href="#toc-Recognized-signals">46 Recognized signals</a></li>
<li><a name="stoc-Concept-Index-1" href="#toc-Concept-Index-1">Concept Index</a></li>

</ul>
</div>

<a name="SEC_Contents"></a>
<h2 class="contents-heading">Table of Contents</h2>

<div class="contents">
<ul class="no-bullet">
<li><a name="toc-Overview-of-pwmd" href="#Introduction">1 Overview of <code>pwmd</code></a></li>
<li><a name="toc-Access-Control-1" href="#Access-Control">2 Access Control</a></li>
<li><a name="toc-Cache-Control-1" href="#Cache-Control">3 Cache Control</a></li>
<li><a name="toc-Invoking-pwmd" href="#Invoking">4 Invoking <code>pwmd</code></a></li>
<li><a name="toc-pwmd-configuration-file-options" href="#Configuration">5 <code>pwmd</code> configuration file options</a></li>
<li><a name="toc-Configuring-remote-connections-over-TLS_002e" href="#TLS">6 Configuring remote connections over TLS.</a></li>
<li><a name="toc-Pinentry-configuration" href="#Pinentry">7 Pinentry configuration</a></li>
<li><a name="toc-Protocol-commands-and-their-syntax" href="#Commands">8 Protocol commands and their syntax</a></li>
<li><a name="toc-Modifying-element-attributes_002e" href="#ATTR">9 Modifying element attributes.</a></li>
<li><a name="toc-Setting-the-cache-timeout_002e" href="#CACHETIMEOUT">10 Setting the cache timeout.</a></li>
<li><a name="toc-Removing-a-cache-entry_002e" href="#CLEARCACHE">11 Removing a cache entry.</a></li>
<li><a name="toc-Copying-an-element_002e" href="#COPY">12 Copying an element.</a></li>
<li><a name="toc-Deleting-an-element_002e" href="#DELETE">13 Deleting an element.</a></li>
<li><a name="toc-Deleting-a-key-from-the-key-ring_002e" href="#DELETEKEY">14 Deleting a key from the key ring.</a></li>
<li><a name="toc-Showing-the-XML-document_002e" href="#DUMP">15 Showing the XML document.</a></li>
<li><a name="toc-Generating-a-new-key_002e" href="#GENKEY">16 Generating a new key.</a></li>
<li><a name="toc-Getting-the-content-of-an-element_002e" href="#GET">17 Getting the content of an element.</a></li>
<li><a name="toc-Obtaining-a-configuration-value_002e" href="#GETCONFIG">18 Obtaining a configuration value.</a></li>
<li><a name="toc-Obtaining-server-and-client-information_002e" href="#GETINFO">19 Obtaining server and client information.</a></li>
<li><a name="toc-Showing-available-commands_002e" href="#HELP">20 Showing available commands.</a></li>
<li><a name="toc-Creating-elements-from-XML_002e" href="#IMPORT">21 Creating elements from XML.</a></li>
<li><a name="toc-Testing-cache-status_002e" href="#ISCACHED">22 Testing cache status.</a></li>
<li><a name="toc-Showing-keys-used-for-the-current-data-file_002e" href="#KEYINFO">23 Showing keys used for the current data file.</a></li>
<li><a name="toc-Terminating-another-client_002e" href="#KILL">24 Terminating another client.</a></li>
<li><a name="toc-Showing-document-elements_002e" href="#LIST">25 Showing document elements.</a></li>
<li><a name="toc-Listing-keys-in-the-key-ring_002e" href="#LISTKEYS">26 Listing keys in the key ring.</a></li>
<li><a name="toc-Locking-the-current-data-file_002e" href="#LOCK">27 Locking the current data file.</a></li>
<li><a name="toc-Showing-available-data-files_002e" href="#LS">28 Showing available data files.</a></li>
<li><a name="toc-Moving-an-element_002e" href="#MOVE">29 Moving an element.</a></li>
<li><a name="toc-Testing-the-connection_002e" href="#NOP">30 Testing the connection.</a></li>
<li><a name="toc-Opening-a-data-file_002e" href="#OPEN">31 Opening a data file.</a></li>
<li><a name="toc-Setting-various-client-parameters_002e" href="#OPTION">32 Setting various client parameters.</a></li>
<li><a name="toc-Changing-the-passphrase-for-a-key_002e" href="#PASSWD">33 Changing the passphrase for a key.</a></li>
<li><a name="toc-Resolving-an-element_002e" href="#REALPATH">34 Resolving an element.</a></li>
<li><a name="toc-Renaming-an-element_002e" href="#RENAME">35 Renaming an element.</a></li>
<li><a name="toc-Resetting-the-client-state_002e" href="#RESET">36 Resetting the client state.</a></li>
<li><a name="toc-Saving-document-changes-to-disk_002e" href="#SAVE">37 Saving document changes to disk.</a></li>
<li><a name="toc-Modifying-the-content-of-an-element_002e" href="#STORE">38 Modifying the content of an element.</a></li>
<li><a name="toc-Removing-a-data-file-lock_002e" href="#UNLOCK">39 Removing a data file lock.</a></li>
<li><a name="toc-Modifying-more-than-one-element_002e" href="#XPATH">40 Modifying more than one element.</a></li>
<li><a name="toc-Modifying-more-than-one-element_0027s-attributes_002e" href="#XPATHATTR">41 Modifying more than one element&rsquo;s attributes.</a></li>
<li><a name="toc-Status-messages-and-their-meanings" href="#Status-Messages">42 Status messages and their meanings</a></li>
<li><a name="toc-The-target-attribute" href="#Target-Attribute">43 The <code>target</code> attribute</a></li>
<li><a name="toc-Other-special-attributes" href="#Other-Attributes">44 Other special attributes</a></li>
<li><a name="toc-Key-Expiration-1" href="#Key-Expiration">45 Key Expiration</a></li>
<li><a name="toc-Recognized-signals" href="#Signals">46 Recognized signals</a></li>
<li><a name="toc-Concept-Index-1" href="#Concept-Index">Concept Index</a></li>

</ul>
</div>

<hr>



</body>
</html>