Fix manpage formatting of the "allowed" configuration parameter.

[pwmd.git] / doc / pwmd.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 5.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>PWMD Manual</title>

<meta name="description" content="PWMD Manual">
<meta name="keywords" content="PWMD Manual">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="#Top" rel="start" title="Top">
<link href="#SEC_Contents" rel="contents" title="Table of Contents">
<link href="dir.html#Top" rel="up" title="(dir)">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.indentedblock {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smallindentedblock {margin-left: 3.2em; font-size: smaller}
div.smalllisp {margin-left: 3.2em}
kbd {font-style:oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space:nowrap}
span.nolinebreak {white-space:nowrap}
span.roman {font-family:serif; font-weight:normal}
span.sansserif {font-family:sans-serif; font-weight:normal}
ul.no-bullet {list-style: none}
-->
</style>


</head>

<body lang="en" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#800080" alink="#FF0000">
<h1 class="settitle" align="center">PWMD Manual</h1>




<a name="Top"></a>
<div class="header">
<p>
Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<h1 class="node-heading">Top</h1>
 
 
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#Introduction" accesskey="1">Introduction</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Overview of pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Invoking" accesskey="2">Invoking</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Command line options.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Configuration" accesskey="3">Configuration</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file options.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Commands" accesskey="4">Commands</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Protocol commands.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Status-Messages" accesskey="5">Status Messages</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Status lines and their meaning.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Target-Attribute" accesskey="6">Target Attribute</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">A kind of symbolic link.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Signals" accesskey="7">Signals</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Signals known to pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Concept-Index" accesskey="8">Concept Index</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Index of concepts.
</td></tr>
</table>

<hr>
<a name="Introduction"></a>
<div class="header">
<p>
Next: <a href="#Invoking" accesskey="n" rel="next">Invoking</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Overview-of-pwmd"></a>
<h2 class="chapter">1 Overview of <code>pwmd</code></h2>






<p><code>pwmd</code> or <em>Password Manager Daemon</em> is a server that
applications connect to and send commands to store and retrieve data
that is saved in an encrypted <abbr>XML</abbr> document.
</p>
<p>The server uses the Assuan protocol (See <a href="http://www.gnupg.org/documentation/manuals/assuan/Implementation.html#Implementation">(assuan)Implementation</a>) which
is the same used by <code>gpg-agent</code>, <code>pinentry</code> and
<code>scdaemon</code>. It also uses <cite>libgpg-error</cite> for error reporting with
the error source set as <var>GPG_ERR_SOURCE_USER_1</var>.
</p>

<p>The <abbr>XML</abbr> document uses the following <abbr>DTD</abbr>:
</p>
<div class="example">
<pre class="example">    &lt;?xml version=&quot;1.0&quot;?&gt;
    &lt;!DOCTYPE pwmd [
    &lt;!ELEMENT pwmd (element*)&gt;
    &lt;!ATTLIST element _name CDATA #REQUIRED&gt;
    ]&gt;
</pre></div>

<p>The <code>pwmd</code> element is the document root node while all other elements
of the document have the name <code>element</code> with an attribute <code>_name</code>
whose value uniquely identifies the element at the current element tree depth.
It is done this way to avoid <abbr>XML</abbr> parsing errors for commonly used
characters.  A <abbr>URL</abbr> for example would be an invalid <abbr>XML</abbr> element
since the <abbr>URI</abbr> contains a &lsquo;<samp>:</samp>&rsquo; which is also the <abbr>XML</abbr>
namespace separator.
</p>
<p>As mentioned, an element name must be unique for the current element tree
depth. You cannot have two elements containing the same <code>_name</code> attribute
value. <code>pwmd</code> will stop searching for an element of an <em>element
path</em> at the first match then continue searching for the next element of the
element path beginning at the child node of the matched element.
</p>
<p>An <em>element path</em> is a <tt class="key">TAB</tt> delimited character string where each
<tt class="key">TAB</tt> separates each element in the path.  For example, the element path
<code>a<span class="key">TAB</span>b<span class="key">TAB</span>c</code> has the following <abbr>XML</abbr> document structure:
</p>
<div class="example">
<pre class="example">   &lt;pwmd&gt;
            &lt;element _name=&quot;a&quot;&gt;
                &lt;element _name=&quot;b&quot;&gt;
                    &lt;element _name=&quot;c&quot;&gt;
                        [... element value or content ...]
                    &lt;/element&gt;
                &lt;/element&gt;
            &lt;/element&gt;
        &lt;/pwmd&gt;
</pre></div>

<p>The only restriction of an element name is that it contain no whitespace
characters. It also cannot begin with a &lsquo;<samp>!</samp>&rsquo; since this character is
reserved for the <code>target</code> attribute. See <a href="#Target-Attribute">Target Attribute</a>.
</p>
<hr>
<a name="Invoking"></a>
<div class="header">
<p>
Next: <a href="#Configuration" accesskey="n" rel="next">Configuration</a>, Previous: <a href="#Introduction" accesskey="p" rel="previous">Introduction</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Invoking-pwmd"></a>
<h2 class="chapter">2 Invoking <code>pwmd</code></h2>



<p>When <code>pwmd</code> is started with the <samp>--use-agent</samp> command
line option then <code>pwmd</code> will use <code>gpg-agent</code> for key
generation, decryption, signing and caching of passphrases as the
default rather than symmetrically encrypted data files.
<code>gpg-agent</code> must be running prior to <code>pwmd</code> startup when
this option is enabled. The <code>GPG_AGENT_INFO</code> environment variable is
set by <code>gpg-agent</code> and <code>pwmd</code> uses this variable to
determine where the <code>gpg-agent</code> socket is listening for
connections.
</p>
<p>It is recommended to pass the <samp>--allow-preset-passphrase</samp>
command line option to <code>gpg-agent</code>. Doing so allows <code>pwmd</code>
cache pushing on startup. It is also recommended to pass the
<samp>--allow-loopback-pinentry</samp> to <code>gpg-agent</code>. This option allows
a passphrase to be inquired from <code>pwmd</code> when a <code>pinentry</code> is
unavailable to the client.
</p>
<a name="index-Running-pwmd"></a>
<p><code>pwmd</code> is executed as follows: 
</p> 
<div class="example">
<pre class="example">pwmd <var>options</var> [ file1 ] [ &hellip; ]
</pre></div>

<p>Non-option arguments are data files to cache on startup. When the data file
requires a passphrase for decryption a <code>pinentry</code> will prompt either
on the current <abbr>TTY</abbr> or from an X11 window when the <code>DISPLAY</code>
environment variable is set.
</p>
<a name="index-Options"></a>
<a name="index-Arguments"></a>
<p>The following command line options are supported:
</p>
<a name="index-Getting-help"></a>
<dl compact="compact">
<dt>&lsquo;<samp>--homedir directory</samp>&rsquo;</dt>
<dd><p>The root directory where pwmd will store its data and temporary files.  The
default is <samp>~/.pwmd</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--rcfile, -f rcfile</samp>&rsquo;</dt>
<dd><p>Specify an alternate configuration file. The default is
<samp>~/.pwmd/config</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--use-agent</samp>&rsquo;</dt>
<dd><p>Enable the use of <code>gpg-agent</code> and add support for data files
encrypted with a keypair. Files previously handled by
<code>gpg-agent</code> when this option is not specified will no longer be
able to be opened and new data files are symmetrically or conventionally
encrypted and without a public and private key. If
specified, both data file types are supported.
</p>
</dd>
<dt>&lsquo;<samp>--import, -I filename</samp>&rsquo;</dt>
<dd><p>Imports an <abbr>XML</abbr> file. The <abbr>XML</abbr> file should be in conformance to
the <code>pwmd</code> <abbr>DTD</abbr> (see <a href="#Introduction">Introduction</a>). You
will be prompted for a passphrase to encrypt with.  The output is written to
the filename specified with <samp>--outfile</samp>. To make use of the imported
data, place the output file in <samp>~/.pwmd/data</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--keyparam S-expression</samp>&rsquo;</dt>
<dd><p>The key parameters to use when generating a new key pair while importing an
<abbr>XML</abbr> file or when converting a <em>version 2</em> data file. The argument
must be a valid S-expression (See <a href="http://www.gnupg.org/documentation/manuals/gcrypt/S_002dexpressions.html#S_002dexpressions">(gcrypt)S-expressions</a>).
</p>
</dd>
<dt>&lsquo;<samp>--keygrip hexstring</samp>&rsquo;</dt>
<dd><p>Specifies the hexadecimal encoded public key-grip to use for encryption when
importing or converting. When not specified a new key-pair will be created.
</p>
</dd>
<dt>&lsquo;<samp>--sign-keygrip hexstring</samp>&rsquo;</dt>
<dd><p>Specifies the hexadecimal encoded public key-grip to use for signing of the
data file when importing or converting. When not specified the generated
public key or the key specified with the <samp>--keygrip</samp> option will be
used.
</p>
</dd>
<dt>&lsquo;<samp>--passphrase-file, -k filename&quot;</samp>&rsquo;</dt>
<dd><p>Obtain the passphrase from the specified filename.
</p>
</dd>
<dt>&lsquo;<samp>--s2k-count iterations</samp>&rsquo;</dt>
<dd><p>The number of times to hash the passphrase when importing or converting.  The
default is the gpg-agent calibrated value of the machine. When less than
&lsquo;<samp>65536</samp>&rsquo; the default will be used.
</p>
</dd>
<dt>&lsquo;<samp>--cipher-iterations iterations</samp>&rsquo;</dt>
<dd><p>The number of symmetric encryption iterations. The value is actually N+1. The
default is 0+1.
</p>
</dd>
<dt>&lsquo;<samp>--cipher algo</samp>&rsquo;</dt>
<dd><p>When importing, the cipher to use for data encryption.  See the <var>cipher</var>
configuration parameter (see <a href="#Configuration">Configuration</a>) for available ciphers. The
default is &lsquo;<samp>aes256</samp>&rsquo;.
</p>
</dd>
<dt>&lsquo;<samp>--convert, -C filename</samp>&rsquo;</dt>
<dd><p>Converts a <code>pwmd</code> <em>version 2</em> data file to a <em>version 3</em>
data file. If encrypted, you will be prompted for a passphrase to use for
decryption unless <samp>--passphrase-file</samp> was specified. The converted data
file will be saved to the filename specified with <samp>--outfile</samp>. All
<samp>--import</samp> related options may also be used when converting.
</p>
</dd>
<dt>&lsquo;<samp>--disable-dump, -D</samp>&rsquo;</dt>
<dd><p>Disable the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and <code>DUMP</code>
protocol commands (see <a href="#Commands">Commands</a>). This overrides any
<var>disable_list_and_dump</var> configuration parameter (see <a href="#Configuration">Configuration</a>).
</p>
</dd>
<dt>&lsquo;<samp>--no-fork, -n</samp>&rsquo;</dt>
<dd><p>Run as a foreground process and do not fork into the background.
</p>
</dd>
<dt>&lsquo;<samp>--ignore</samp>&rsquo;</dt>
<dd><p>Ignore cache pushing failures on startup. By default, <code>pwmd</code> will exit
if an error occurred do to an invalid passphrase or other error.
</p>
</dd>
<dt>&lsquo;<samp>--debug-level keyword,keyword,...</samp>&rsquo;</dt>
<dd><p>Output libassuan See <a href="http://www.gnupg.org/documentation/manuals/assuan/index.html#Top">(assuan)Top</a> protocol IO with the comma
separated list of output keywords.  Valid keywords are: <code>init</code>,
<code>ctx</code>, <code>engine</code>, <code>data</code>, <code>sysio</code> and <code>control</code>.
</p>
</dd>
<dt>&lsquo;<samp>--version</samp>&rsquo;</dt>
<dd><p>Show the version, copyright and compile time features and exit.
</p>
</dd>
<dt>&lsquo;<samp>--help</samp>&rsquo;</dt>
<dd><p>Print a summary of options.
</p></dd>
</dl>


<hr>
<a name="Configuration"></a>
<div class="header">
<p>
Next: <a href="#TLS" accesskey="n" rel="next">TLS</a>, Previous: <a href="#Invoking" accesskey="p" rel="previous">Invoking</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="pwmd-configuration-file-options"></a>
<h2 class="chapter">3 <code>pwmd</code> configuration file options</h2>


<p>If no configuration file is specified with the <code>pwmd</code> <samp>-f</samp>
command line option, <code>pwmd</code> will read <samp>~/.pwmd/config</samp> if it
exists, and if not, will use defaults.  Blank lines and lines beginning with
&lsquo;<samp>#</samp>&rsquo; are ignored. Some parameters may have data file specific settings by
placing them in a file section. A file section is declared by surrounding the
filename with braces (i.e., &lsquo;<samp>[filename]</samp>&rsquo;).  Global options may be
specified in a &lsquo;<samp>[global]</samp>&rsquo; section and are the default options for new or
unspecified files.
</p>
<p>A tilde <tt class="key">~</tt> will be expanded to the home directory of the invoking user
when contained in a parameter whose value is a filename.
</p>
<a name="index-Reloading-the-configuration-file"></a>
<p>The configuration file can be reloaded by sending the <em>SIGHUP</em> signal to
a <code>pwmd</code> process.
</p>
<a name="index-Global-configuration-options"></a>
<p>The following options are only for use in the &lsquo;<samp>global</samp>&rsquo; section:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>socket_path = /path/to/socket</samp>&rsquo;</dt>
<dd><p>Listen on the specified socket. The default is <samp>~/.pwmd/socket</samp>.
</p>
</dd>
<dt>&lsquo;<samp>socket_perms = octal_mode</samp>&rsquo;</dt>
<dd><p>Permissions to set after creating the socket. This will override any
<cite>umask(2)</cite> setting.
</p>
</dd>
<dt>&lsquo;<samp>allowed = [-]user,[-]@group,...</samp>&rsquo;</dt>
<dd><p>A comma separated list of local user names or group names allowed to connect
to the socket. Groups should be prefixed with a &lsquo;<samp>@</samp>&rsquo;. When not specified
only the invoking user may connect. A username or group name may also be
prefixed with a <tt class="key">-</tt> to prevent access to a specific user or group
in the list. The order of the list is important since a user may be of
multiple groups.
</p>
<p>This parameter may also be specified in a filename section to allow or
deny a local user to <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) a data file and has the
same default to allow only the invoking user.
</p>
<p>The following example would deny all users in group <code>primary</code> but
allow <code>username</code> who is a member of <code>primary</code>:
</p>
<div class="example">
<pre class="example">allowed=-@primary,username
</pre></div>

</dd>
<dt>&lsquo;<samp>disable_mlockall = boolean</samp>&rsquo;</dt>
<dd><p>When set to <var>false</var>, <cite>mlockall(2)</cite> will be called on startup.  This
will use more physical memory but may also be more secure since no swapping to
disk will occur. The default is <var>true</var>.
</p>
</dd>
<dt>&lsquo;<samp>log_path = /path/to/logfile</samp>&rsquo;</dt>
<dd><p>Logs informational messages to the specified file. The default is
<samp>~/.pwmd/log</samp>.
</p>
</dd>
<dt>&lsquo;<samp>enable_logging = boolean</samp>&rsquo;</dt>
<dd><p>Enable or disable logging to <var>log_path</var>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>syslog = boolean</samp>&rsquo;</dt>
<dd><p>Enable logging to <cite>syslog(8)</cite> with facility <em>LOG_DAEMON</em> and priority
<em>LOG_INFO</em>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>log_level = level</samp>&rsquo;</dt>
<dd><p>When <code>0</code>, only connections and errors are logged. When <code>1</code>, client
commands are also logged. When <code>2</code>, the command arguments are also logged.
The default is <code>0</code>.
</p>
</dd>
<dt>&lsquo;<samp>use_agent = boolean</samp>&rsquo;</dt>
<dd><p>When true, enable <code>gpg-agent</code> support (see <a href="#Invoking">Invoking</a>).
</p>
</dd>
<dt>&lsquo;<samp>agent_env_file = filename</samp>&rsquo;</dt>
<dd><p>A file containing the <code>GPG_AGENT_INFO</code> environment variable and value as
output by the <code>gpg-agent</code> <samp>--write-env-file</samp> command line
option.
</p>
</dd>
<dt>&lsquo;<samp>kill_scd = boolean</samp>&rsquo;</dt>
<dd><p>Kill <code>scdaemon</code> after each <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) or <code>SAVE</code>
(see <a href="#SAVE">SAVE</a>) command.
</p>
</dd>
<dt>&lsquo;<samp>require_save_key = boolean</samp>&rsquo;</dt>
<dd><p>Require the passphrase needed to open a data file before writing changes
of the documment to disk reguardless of the key cache status.
</p>
</dd>
<dt>&lsquo;<samp>disable_list_and_dump = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and
<code>DUMP</code> protocol commands (see <a href="#Commands">Commands</a>) will be disabled.
</p>
</dd>
<dt>&lsquo;<samp>cache_push = file1,file2</samp>&rsquo;</dt>
<dd><p>A comma separated list of filenames that will be pushed into the file cache
upon startup. <code>pwmd</code> will prompt for the passphrase for each file unless
specified with the <var>passphrase</var> or <var>passphrase_file</var> parameters in a
matching file section.
</p>
</dd>
<dt>&lsquo;<samp>priority = integer</samp>&rsquo;</dt>
<dd><p>The priority, or niceness, of the server. The default is inherited from the
parent process.
</p>
</dd>
<dt>&lsquo;<samp>cipher = algorithm</samp>&rsquo;</dt>
<dd><p>The default cipher to use for data encryption. The algorithm must be one of:
<code>aes128</code>, <code>aes192</code>, <code>aes256</code>, <code>serpent128</code>,
<code>serpent192</code>, <code>serpent256</code>, <code>camellia128</code>,
<code>camellia192</code>, <code>camellia256</code>, <code>3des</code>, <code>cast5</code>,
<code>blowfish</code>, <code>twofish128</code> or <code>twofish256</code>. The default is
<code>aes256</code>.
</p>
</dd>
<dt>&lsquo;<samp>cipher_iterations = integer</samp>&rsquo;</dt>
<dd><p>The number of times to encrypt the XML data. This differs from the
<var>s2k_count</var> parameter which specifies the number of times to hash the
passphrase used to encrypt the data. The default is 0 although 1 iteration is
still done.
</p>
</dd>
<dt>&lsquo;<samp>cipher_progress = integer</samp>&rsquo;</dt>
<dd><p>Send a progress message to the client after the specified amount of encryption
or decryption iterations have been done. The default is 2000.
</p>
</dd>
<dt>&lsquo;<samp>keyparam = s-expression</samp>&rsquo;</dt>
<dd><p>The default key paramaters to use when generating a new key-pair. The
default is RSA with 2048 bits. Note that only RSA as the encryption
algorithm is supported at the moment. Both RSA and DSA keys may be used
for signing.
</p>
</dd>
<dt>&lsquo;<samp>pinentry_path = /path/to/pinentry</samp>&rsquo;</dt>
<dd><p>The location of the <code>pinentry</code> binary. This program is used to
prompt for a passphrase when not using <code>gpg-agent</code>. The default
is specified at compile time.
</p>
</dd>
<dt>&lsquo;<samp>pinentry_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to wait for a pinentry before giving up and
returning an error. This timeout value is used for both waiting for
another pinentry to complete and for the pinentry waiting for user input.
</p></dd>
</dl>

<a name="index-Data-file-configuration-options"></a>
<p>The following options are defaults for new files when specified in the
&lsquo;<samp>global</samp>&rsquo; section. When placed in a data file section they are options
specific to that data file only.
</p>
<dl compact="compact">
<dt>&lsquo;<samp>backup = boolean</samp>&rsquo;</dt>
<dd><p>Whether to create a backup of the data file when saving. The backup filename
has the <samp>.backup</samp> extension appended to the opened file. The default is
<code>true</code>. 
</p>
</dd>
<dt>&lsquo;<samp>cache_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to keep the cache entry for this file. If <code>-1</code>, the
cache entry is kept forever. If <code>0</code>, each time an encrypted file is
<code>OPEN</code>ed (see <a href="#OPEN">OPEN</a>) a passphrase will be required. The default
is <code>600</code> or 10 minutes.
</p>
</dd>
<dt>&lsquo;<samp>xfer_progress = bytes</samp>&rsquo;</dt>
<dd><p>Commands that send data lines to the client will also send the <code>XFER</code>
status message (see <a href="#Status-Messages">Status Messages</a>) after the specified number of bytes
have been sent. The number of bytes is rounded to <var>ASSUAN_LINELENGTH</var> or
<code>1002</code> bytes. The default is <code>8196</code>.
</p>
</dd>
<dt>&lsquo;<samp>passphrase = string</samp>&rsquo;</dt>
<dd><p>The passphrase to use for this file. If specified in the &lsquo;<samp>global</samp>&rsquo; section
then &lsquo;<samp>global</samp>&rsquo; is treated as a data filename and not a default for other
files. Note that if a client changes the passphrase for this data file then
this value is not modified and will need to be updated.
</p>
</dd>
<dt>&lsquo;<samp>passphrase_file = /path/to/file</samp>&rsquo;</dt>
<dd><p>Same as the <var>passphrase</var> parameter above but obtains the passphrase from
the specified filename.
</p>
</dd>
<dt>&lsquo;<samp>recursion_depth = integer</samp>&rsquo;</dt>
<dd><p>The maximum number of times to resolve a <code>target</code> attribute for an
element in an element path (see <a href="#Target-Attribute">Target Attribute</a>). An error is returned
when this value is exceeded.  The default is <code>100</code> but can be disabled by
setting to <code>0</code> (<em>not recommended</em>).
</p>
</dd>
<dt>&lsquo;<samp>allowed = [-]user,[-]@group,...</samp>&rsquo;</dt>
<dd><p>Same parameter value as the <code>allowed</code> parameter mentioned above in
the &lsquo;<samp>global</samp>&rsquo; section but grants or denies a local user from opening
a specific data file. The default is to allow only the invoking user.
</p>
</dd>
</dl>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#TLS" accesskey="1">TLS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Remote connections over TLS.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Pinentry" accesskey="2">Pinentry</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file and defaults.
</td></tr>
</table>

<hr>
<a name="TLS"></a>
<div class="header">
<p>
Next: <a href="#Pinentry" accesskey="n" rel="next">Pinentry</a>, Previous: <a href="#Configuration" accesskey="p" rel="previous">Configuration</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Configuring-remote-connections-over-TLS_002e"></a>
<h2 class="chapter">4 Configuring remote connections over TLS.</h2>
<p>Remote connections can also be made to <code>pwmd</code> over <abbr>TLS</abbr>.
Authentication is done by using X509 client certificates that are signed with
the same Certificate Authority (<abbr>CA</abbr>) as the server certificate.
</p>
<p>The <abbr>CA</abbr> certificate is expected to be found in
<samp>~/.pwmd/ca-cert.pem</samp> while the <code>pwmd</code> server certificate and key
file should be put in <samp>~/.pwmd/server-cert.pem</samp> and
<samp>~/.pwmd/server-key.pem</samp>, respectively.
</p>
<p>See the documentation of <code>certtool</code> or <code>openssl</code> for details
on creating self-signed certificates.
</p>
<p>The following TLS configuration options are available:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>enable_tcp = boolean</samp>&rsquo;</dt>
<dd><p>Whether to enable TCP/TLS server support. If enabled, both TCP and the local
unix domain socket will listen for connections. The default is
<code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_port = integer</samp>&rsquo;</dt>
<dd><p>The TCP port to listen on when <var>enable_tcp</var> is <code>true</code>. The default is
<code>6466</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_bind = string</samp>&rsquo;</dt>
<dd><p>The internet protocol to listen with. Must be one of <code>ipv4</code>, <code>ipv6</code>
or <code>any</code> to listen for both IPv4 and IPv6 connections.
</p>
</dd>
<dt>&lsquo;<samp>tcp_interface = string</samp>&rsquo;</dt>
<dd><p>Only useful if running as root.
</p>
</dd>
<dt>&lsquo;<samp>tls_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to wait for a read() or write() call on a
<abbr>TLS</abbr> client file descriptor to complete before returning an
error. The default is <var>300</var>.
</p>
<p>Note that the <code>SAVE</code> command (see <a href="#SAVE">SAVE</a>) may take a longer time
to complete than other commands since key generation may need to be done
or do to a large <samp>--cipher-iterations</samp> setting.
</p>
</dd>
<dt>&lsquo;<samp>keepalive_interval = seconds</samp>&rsquo;</dt>
<dd><p>Send a keepalive status message to an idle remote client.  An idle
client is one who is not in a command. The purpose of this status
message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is <code>60</code>.
</p>
</dd>
<dt>&lsquo;<samp>tls_access = string[,string,...]</samp>&rsquo;</dt>
<dd><p>A comma separated list of client X509 certificate fingerprints in SHA-1
format that will be allowed to connect or open a file. If prefixed with
<code>!</code> then access is denied for the fingerprint. When <code>!</code> is
found by itself in the list it is treated as a default for remaining
fingerprints in the list. The <code>+</code> prefix behaves the same but
allows access.
</p>
<p>The access control is two fold: when the client connects its SHA-1
fingerprint is matched against the list of allowed fingerprints in the
&lsquo;<samp>global</samp>&rsquo; section. When allowed in the &lsquo;<samp>global</samp>&rsquo; section the
connection is established and the client may proceed to <code>OPEN</code>
(see <a href="#OPEN">OPEN</a>) a data file. During the <code>OPEN</code> command the
fingerprint is checked again in a &lsquo;<samp>filename</samp>&rsquo; section. When this
parameter is not found in a &lsquo;<samp>filename</samp>&rsquo; section then access is granted.
</p>
</dd>
<dt>&lsquo;<samp>tcp_require_key = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, require the remote client to provide the key or passphrase
to open a data file even if the file is cached. Note that the cache entry is
cleared during the see <a href="#OPEN">OPEN</a> command and the passphrase will be retrieved
from the client via a server <em>INQUIRE</em>. This option is a default
for all files when specified in the &lsquo;<samp>global</samp>&rsquo; section. The default
is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_wait = integer</samp>&rsquo;</dt>
<dd><p>The time in tenths of a second to wait between TCP connections.  Setting to 0
will disable waiting. The default is <code>3</code>.
</p>
</dd>
<dt>&lsquo;<samp>tls_cipher_suite = string</samp>&rsquo;</dt>
<dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
information about the format of this string. The default is <code>SECURE256</code>.
</p></dd>
</dl>

<hr>
<a name="Pinentry"></a>
<div class="header">
<p>
Next: <a href="#Commands" accesskey="n" rel="next">Commands</a>, Previous: <a href="#TLS" accesskey="p" rel="previous">TLS</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Pinentry-configuration"></a>
<h2 class="chapter">5 Pinentry configuration</h2>

<p>The <code>pinentry</code> program is used to prompt the user for passphrase
input or as a confirmation dialog; it needs to know where to prompt for
the input, beit from a terminal or an X11 display.
</p>
<p>It is the responsibility of the client to tell <code>pinentry</code> about
the terminal or X11 display before requiring the input. This is done by
using the <code>pwmd</code> see <a href="#OPTION">OPTION</a> protocol command. It need be
done only once per client connection. To avoid the use of
<code>pinentry</code> entirely, use the <code>OPTION</code> (see <a href="#OPTION">OPTION</a>)
<samp>--disable-pinentry</samp> protocol command.
</p>
<hr>
<a name="Commands"></a>
<div class="header">
<p>
Next: <a href="#Status-Messages" accesskey="n" rel="next">Status Messages</a>, Previous: <a href="#Pinentry" accesskey="p" rel="previous">Pinentry</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Protocol-commands-and-their-syntax"></a>
<h2 class="chapter">6 Protocol commands and their syntax</h2>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#AGENT" accesskey="1">AGENT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#ATTR" accesskey="2">ATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#CACHETIMEOUT" accesskey="3">CACHETIMEOUT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#CLEARCACHE" accesskey="4">CLEARCACHE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#COPY" accesskey="5">COPY</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DELETE" accesskey="6">DELETE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DUMP" accesskey="7">DUMP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GET" accesskey="8">GET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GETCONFIG" accesskey="9">GETCONFIG</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GETINFO">GETINFO</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#HELP">HELP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#IMPORT">IMPORT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#ISCACHED">ISCACHED</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#KEYGRIP">KEYGRIP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LIST">LIST</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LOCK">LOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LS">LS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#MOVE">MOVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#NOP">NOP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#OPEN">OPEN</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#OPTION">OPTION</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#PASSWD">PASSWD</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#REALPATH">REALPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#RENAME">RENAME</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#RESET">RESET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#SAVE">SAVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#STORE">STORE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#UNLOCK">UNLOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#XPATH">XPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#XPATHATTR">XPATHATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
</table>
<hr>
<a name="AGENT"></a>
<div class="header">
<p>
Next: <a href="#ATTR" accesskey="n" rel="next">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="AGENT-command"></a>
<h2 class="chapter">7 AGENT command</h2>
<a name="index-AGENT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">AGENT &lt;command&gt;
</pre></div>

<p>Send a <code>gpg-agent</code> protocol <var>command</var> directly to the 
<code>gpg-agent</code>.
</p>

<hr>
<a name="ATTR"></a>
<div class="header">
<p>
Next: <a href="#CACHETIMEOUT" accesskey="n" rel="next">CACHETIMEOUT</a>, Previous: <a href="#AGENT" accesskey="p" rel="previous">AGENT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="ATTR-command"></a>
<h2 class="chapter">8 ATTR command</h2>
<a name="index-ATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">ATTR [--inquire] SET|GET|DELETE|LIST [&lt;attribute&gt;] [!]element[&lt;TAB&gt;[!]child[..]] ..
</pre></div>

<dl compact="compact">
<dt>ATTR SET attribute [!]element[&lt;TAB&gt;[!]child[..]] [value]</dt>
<dd>
<p>Stores or updates an <var>attribute</var> name and optional <var>value</var> of an 
element. When no <var>value</var> is specified any existing value will be removed.
</p>
</dd>
<dt>ATTR DELETE attribute [!]element[&lt;TAB&gt;[!]child[..]]</dt>
<dd>
<p>Removes an <var>attribute</var> from an element.
</p>
</dd>
<dt>ATTR LIST [!]element[&lt;TAB&gt;[!]child[..]]</dt>
<dd>
<p>Retrieves a newline separated list of attributes names and values 
from the specified element. Each attribute name and value is space delimited.
</p>
</dd>
<dt>ATTR GET attribute [!]element[&lt;TAB&gt;[!]child[..]]</dt>
<dd>
<p>Retrieves the value of an <var>attribute</var> from an element.
</p></dd>
</dl>

<p>The <code>_name</code> attribute (case sensitive) cannot be removed nor modified. 
Use the <code>DELETE</code> (see <a href="#DELETE">DELETE</a>) or <code>RENAME</code> (see <a href="#RENAME">RENAME</a>) 
commands instead.
</p>
<p>The <code>_mtime</code> attribute is updated each time an element is modified by 
either storing content, editing attributes or by deleting a child element. 
The <code>_ctime</code> attribute is created for each new element in an element 
path.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>
<p>See <a href="#Target-Attribute">Target Attribute</a>, for details about this special attribute.
</p>

<hr>
<a name="CACHETIMEOUT"></a>
<div class="header">
<p>
Next: <a href="#CLEARCACHE" accesskey="n" rel="next">CLEARCACHE</a>, Previous: <a href="#ATTR" accesskey="p" rel="previous">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="CACHETIMEOUT-command"></a>
<h2 class="chapter">9 CACHETIMEOUT command</h2>
<a name="index-CACHETIMEOUT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">CACHETIMEOUT &lt;filename&gt; &lt;seconds&gt;
</pre></div>

<p>The time in <var>seconds</var> until <var>filename</var> will be removed from the 
cache. <code>-1</code> will keep the cache entry forever, <code>0</code> will require 
the passphrase for each <code>OPEN</code> or <code>SAVE</code> command (see <a href="#OPEN">OPEN</a>, 
see <a href="#SAVE">SAVE</a>). See <a href="#Configuration">Configuration</a>, and the <code>cache_timeout</code> 
parameter.
</p>

<hr>
<a name="CLEARCACHE"></a>
<div class="header">
<p>
Next: <a href="#COPY" accesskey="n" rel="next">COPY</a>, Previous: <a href="#CACHETIMEOUT" accesskey="p" rel="previous">CACHETIMEOUT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="CLEARCACHE-command"></a>
<h2 class="chapter">10 CLEARCACHE command</h2>
<a name="index-CLEARCACHE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">CLEARCACHE [&lt;filename&gt;]
</pre></div>

<p>Clears a file cache entry for all or the specified <var>filename</var>.
</p>

<hr>
<a name="COPY"></a>
<div class="header">
<p>
Next: <a href="#DELETE" accesskey="n" rel="next">DELETE</a>, Previous: <a href="#CLEARCACHE" accesskey="p" rel="previous">CLEARCACHE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="COPY-command"></a>
<h2 class="chapter">11 COPY command</h2>
<a name="index-COPY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">COPY [--inquire] [!]source[&lt;TAB&gt;[!]child[..]] [!]dest[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Copies the entire element tree starting from the child node of the source 
element, to the destination element path. If the destination element path 
does not exist then it will be created; otherwise it is overwritten.
</p>
<p>Note that attributes from the source element are merged into the 
destination element when the destination element path exists. When an 
attribute of the same name exists in both the source and destination 
elements then the destination attribute will be updated to the source 
attribute value.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="DELETE"></a>
<div class="header">
<p>
Next: <a href="#DUMP" accesskey="n" rel="next">DUMP</a>, Previous: <a href="#COPY" accesskey="p" rel="previous">COPY</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="DELETE-command"></a>
<h2 class="chapter">12 DELETE command</h2>
<a name="index-DELETE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DELETE [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Removes the specified element path and all of its children. This may break 
an element with a <code>target</code> attribute (see <a href="#Target-Attribute">Target Attribute</a>) that 
refers to this element or any of its children.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="DUMP"></a>
<div class="header">
<p>
Next: <a href="#GET" accesskey="n" rel="next">GET</a>, Previous: <a href="#DELETE" accesskey="p" rel="previous">DELETE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="DUMP-command"></a>
<h2 class="chapter">13 DUMP command</h2>
<a name="index-DUMP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DUMP
</pre></div>

<p>Shows the in memory <abbr>XML</abbr> document with indenting. See <a href="#XPATH">XPATH</a>, for 
dumping a specific node.
</p>

<hr>
<a name="GET"></a>
<div class="header">
<p>
Next: <a href="#GETCONFIG" accesskey="n" rel="next">GETCONFIG</a>, Previous: <a href="#DUMP" accesskey="p" rel="previous">DUMP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="GET-command"></a>
<h2 class="chapter">14 GET command</h2>
<a name="index-GET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GET [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Retrieves the content of the specified element. The content is returned 
with a data response.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="GETCONFIG"></a>
<div class="header">
<p>
Next: <a href="#GETINFO" accesskey="n" rel="next">GETINFO</a>, Previous: <a href="#GET" accesskey="p" rel="previous">GET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="GETCONFIG-command"></a>
<h2 class="chapter">15 GETCONFIG command</h2>
<a name="index-GETCONFIG-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GETCONFIG [filename] &lt;parameter&gt;
</pre></div>

<p>Returns the value of a <code>pwmd</code> configuration <var>parameter</var> with a 
data response. If no file has been opened then the value for <var>filename</var> 
or the default from the &lsquo;<samp>global</samp>&rsquo; section will be returned. If a file 
has been opened and no <var>filename</var> is specified, a value previously 
set with the <code>OPTION</code> command (see <a href="#OPTION">OPTION</a>) will be returned.
</p>

<hr>
<a name="GETINFO"></a>
<div class="header">
<p>
Next: <a href="#HELP" accesskey="n" rel="next">HELP</a>, Previous: <a href="#GETCONFIG" accesskey="p" rel="previous">GETCONFIG</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="GETINFO-command"></a>
<h2 class="chapter">16 GETINFO command</h2>
<a name="index-GETINFO-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GETINFO [--data] CACHE | CLIENTS | PID | LAST_ERROR | VERSION
</pre></div>

<p>Get server and other information: <var>cache</var> returns the number of cached 
documents via a status message. <var>clients</var> returns the number of 
connected clients via a status message. <var>pid</var> returns the process ID 
number of the server via a data response. <var>VERSION</var> returns the server 
version number and compile-time features with a data response with each 
being space delimited. <var>LAST_ERROR</var> returns a detailed description of 
the last failed command when available. See <a href="#Status-Messages">Status Messages</a>. 
</p>
<p>When the <samp>--data</samp> option is specified then the result will be sent 
via a data response rather than a status message.
</p>

<hr>
<a name="HELP"></a>
<div class="header">
<p>
Next: <a href="#IMPORT" accesskey="n" rel="next">IMPORT</a>, Previous: <a href="#GETINFO" accesskey="p" rel="previous">GETINFO</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="HELP-command"></a>
<h2 class="chapter">17 HELP command</h2>
<a name="index-HELP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">HELP [&lt;COMMAND&gt;]
</pre></div>

<p>Show available commands or command specific help text.
</p>

<hr>
<a name="IMPORT"></a>
<div class="header">
<p>
Next: <a href="#ISCACHED" accesskey="n" rel="next">ISCACHED</a>, Previous: <a href="#HELP" accesskey="p" rel="previous">HELP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="IMPORT-command"></a>
<h2 class="chapter">18 IMPORT command</h2>
<a name="index-IMPORT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">IMPORT [--root [!]element[&lt;TAB&gt;[!]child[..]]] &lt;content&gt;
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
</p>
<p>Like the <code>STORE</code> command (see <a href="#STORE">STORE</a>), but the <var>content</var> 
argument is raw <abbr>XML</abbr> data. The content is created as a child of 
the element path specified with the <samp>--root</samp> option or at the 
document root when not specified. Existing elements of the same name will 
be overwritten.
</p>
<p>The content must begin with an <abbr>XML</abbr> element node. See <a href="#Introduction">Introduction</a>, 
for details.
</p>

<hr>
<a name="ISCACHED"></a>
<div class="header">
<p>
Next: <a href="#KEYGRIP" accesskey="n" rel="next">KEYGRIP</a>, Previous: <a href="#IMPORT" accesskey="p" rel="previous">IMPORT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="ISCACHED-command"></a>
<h2 class="chapter">19 ISCACHED command</h2>
<a name="index-ISCACHED-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">ISCACHED [--lock] &lt;filename&gt;
</pre></div>

<p>An <em>OK</em> response is returned if the specified <var>filename</var> is found 
in the file cache. If not found in the cache but exists on the filesystem 
then <var>GPG_ERR_NO_DATA</var> is returned. Otherwise a filesystem error is 
returned.
</p>
<p>The <samp>lock</samp> option will lock the file mutex of <var>filename</var> when the 
file exists; it does not need to be opened nor cached.
</p>

<hr>
<a name="KEYGRIP"></a>
<div class="header">
<p>
Next: <a href="#LIST" accesskey="n" rel="next">LIST</a>, Previous: <a href="#ISCACHED" accesskey="p" rel="previous">ISCACHED</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="KEYGRIP-command"></a>
<h2 class="chapter">20 KEYGRIP command</h2>
<a name="index-KEYGRIP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">KEYGRIP [--sign] &lt;filename&gt;
</pre></div>

<p>Returns the hex encoded keygrip of the specified <var>filename</var> with a 
data response.
</p>
<p>When the <samp>--sign</samp> option is specified then the key used for signing 
of the specified <var>filename</var> will be returned.
</p>
<p>For symmetrically encrypted data files this command returns the error 
GPG_ERR_NOT_SUPPORTED.
</p>

<hr>
<a name="LIST"></a>
<div class="header">
<p>
Next: <a href="#LOCK" accesskey="n" rel="next">LOCK</a>, Previous: <a href="#KEYGRIP" accesskey="p" rel="previous">KEYGRIP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="LIST-command"></a>
<h2 class="chapter">21 LIST command</h2>
<a name="index-LIST-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LIST [--inquire] [--no-recurse] [--verbose] [--with-target] [--all] [[!]element[&lt;TAB&gt;[!]child[..]]]
</pre></div>

<p>If no element path is given then a newline separated list of root elements 
is returned with a data response. If given, then all reachable elements 
of the specified element path are returned unless the <samp>--no-recurse</samp> 
option is specified. If specified, only the child elements of the element 
path are returned without recursing into grandchildren. Each resulting 
element is prefixed with the literal <code>!</code> character when the element 
contains no <code>target</code> attribute. See <a href="#Target-Attribute">Target Attribute</a>, for details.
</p>
<p>When the <samp>--verbose</samp> option is passed then each element path 
returned will have zero or more flags appened to it. These flags are 
delimited from the element path by a single space character. A flag itself 
is a single character. Flag <code>+</code> indicates that there are child nodes of 
the current element path. Flag <code>E</code> indicates that an element of an 
element path contained in a <var>target</var> attribute could not be found. Flag 
<code>O</code> indicates that a <var>target</var> attribute recursion limit was reached 
(see <a href="#Configuration">Configuration</a>). Flag <code>T</code> will append the resolved element path 
of the <var>target</var> attribute contained in the current element (see below).
</p>
<p>The <samp>--with-target</samp> option implies <samp>--verbose</samp> and will append 
an additional flag <code>T</code> followed by a single space then an element path. 
The appended element path is the resolved path (see <a href="#REALPATH">REALPATH</a>) of the 
current element when it contains a <var>target</var> attribute. When no 
<var>target</var> attribute is found then no flag will be appended.
</p>
<p>The <samp>--no-recurse</samp> option limits the amount of data returned to only 
the listing of children of the specified element path and not any 
grandchildren.
</p>
<p>The <samp>--all</samp> option lists the entire element tree for each root 
element. This option also implies option <samp>--verbose</samp>.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="LOCK"></a>
<div class="header">
<p>
Next: <a href="#LS" accesskey="n" rel="next">LS</a>, Previous: <a href="#LIST" accesskey="p" rel="previous">LIST</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="LOCK-command"></a>
<h2 class="chapter">22 LOCK command</h2>
<a name="index-LOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LOCK
</pre></div>

<p>Locks the mutex associated with the opened file. This prevents other clients 
from sending commands to the same opened file until the client 
that sent this command either disconnects or sends the <code>UNLOCK</code> 
command. See <a href="#UNLOCK">UNLOCK</a>.
</p>

<hr>
<a name="LS"></a>
<div class="header">
<p>
Next: <a href="#MOVE" accesskey="n" rel="next">MOVE</a>, Previous: <a href="#LOCK" accesskey="p" rel="previous">LOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="LS-command"></a>
<h2 class="chapter">23 LS command</h2>
<a name="index-LS-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LS
</pre></div>

<p>Lists the available data files stored in the data directory 
(<samp>~/.pwmd/data</samp>). The result is a newline separated list of filenames.
</p>

<hr>
<a name="MOVE"></a>
<div class="header">
<p>
Next: <a href="#NOP" accesskey="n" rel="next">NOP</a>, Previous: <a href="#LS" accesskey="p" rel="previous">LS</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="MOVE-command"></a>
<h2 class="chapter">24 MOVE command</h2>
<a name="index-MOVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">MOVE [--inquire] [!]source[&lt;TAB&gt;[!]child[..]] [[!]dest[&lt;TAB&gt;[!]child[..]]]
</pre></div>

<p>Moves the source element path to the destination element path. If the 
destination is not specified then it will be moved to the root node of the 
document. If the destination is specified and exists then it will be 
overwritten; otherwise non-existing elements of the destination element 
path will be created.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="NOP"></a>
<div class="header">
<p>
Next: <a href="#OPEN" accesskey="n" rel="next">OPEN</a>, Previous: <a href="#MOVE" accesskey="p" rel="previous">MOVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="NOP-command"></a>
<h2 class="chapter">25 NOP command</h2>
<a name="index-NOP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">NOP
</pre></div>

<p>Does nothing. Always returns successfully.
</p>

<hr>
<a name="OPEN"></a>
<div class="header">
<p>
Next: <a href="#OPTION" accesskey="n" rel="next">OPTION</a>, Previous: <a href="#NOP" accesskey="p" rel="previous">NOP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="OPEN-command"></a>
<h2 class="chapter">26 OPEN command</h2>
<a name="index-OPEN-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">OPEN [--lock] &lt;filename&gt; [&lt;passphrase&gt;]
</pre></div>

<p>Opens <var>filename</var> using <var>passphrase</var>. When the filename is not 
found on the file-system  then a new document will be created. If the file 
is found, it is looked for in the file cache. If cached and no 
<var>passphrase</var> was specified then the cached document is opened. When not 
cached, <cite>pinentry(1)</cite> will be used to retrieve the passphrase to use 
for decryption unless <samp>disable-pinentry</samp> (see <a href="#OPTION">OPTION</a>) was 
specified.
</p>
<p>When the <samp>--lock</samp> option is passed then the file mutex will be 
locked as if the <code>LOCK</code> command (see <a href="#LOCK">LOCK</a>) had been sent after the 
file has been opened.
</p>

<hr>
<a name="OPTION"></a>
<div class="header">
<p>
Next: <a href="#PASSWD" accesskey="n" rel="next">PASSWD</a>, Previous: <a href="#OPEN" accesskey="p" rel="previous">OPEN</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="OPTION-command"></a>
<h2 class="chapter">27 OPTION command</h2>
<a name="index-OPTION-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">OPTION &lt;NAME&gt;=&lt;VALUE&gt;
</pre></div>

<p>Sets a client option <var>name</var> to <var>value</var>. The value for an option is 
kept for the duration of the connection.
</p>
<dl compact="compact">
<dt>DISABLE-PINENTRY</dt>
<dd><p>Disable use of <code>pinentry</code> for passphrase retrieval. When set, a 
server inquire is sent to the client to obtain the passphrase. This option 
may be set as needed before the see <a href="#OPEN">OPEN</a>, see <a href="#PASSWD">PASSWD</a>, and 
see <a href="#SAVE">SAVE</a> commands.
</p>
</dd>
<dt>PINENTRY-TIMEOUT</dt>
<dd><p>Sets the number of seconds before a pinentry prompt will return an error 
while waiting for user input.
</p>
</dd>
<dt>TTYNAME</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>TTYTYPE</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>DISPLAY</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>PINENTRY-DESC</dt>
<dd><p>Sets the description string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
</p>
</dd>
<dt>PINENTRY-TITLE</dt>
<dd><p>Sets the title string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
</p>
</dd>
<dt>PINENTRY-PROMPT</dt>
<dd><p>Sets the prompt string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
</p>
</dd>
<dt>LC-CTYPE</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>LC-MESSAGES</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>NAME</dt>
<dd><p>Associates the thread ID of the connection with the specified textual 
representation. Useful for debugging log messages.
</p>
</dd>
<dt>LOCK-TIMEOUT</dt>
<dd><p>When not <code>0</code>, the duration in tenths of a second to wait for the file 
mutex which has been locked by another thread to be released before returning 
an error. When <code>-1</code>, then an error will be returned immediately.
</p>
</dd>
<dt>LOG-LEVEL</dt>
<dd><p>An integer specifiying the logging level.
</p></dd>
</dl>


<hr>
<a name="PASSWD"></a>
<div class="header">
<p>
Next: <a href="#REALPATH" accesskey="n" rel="next">REALPATH</a>, Previous: <a href="#OPTION" accesskey="p" rel="previous">OPTION</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="PASSWD-command"></a>
<h2 class="chapter">28 PASSWD command</h2>
<a name="index-PASSWD-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">PASSWD [--reset] [--s2k-count=N] [--no-passphrase]
</pre></div>

<p>Changes the passphrase of the secret key required to open the current 
file or the passphrase of a symmetrically encrypted data file. When the 
<samp>--reset</samp> option is passed then the cache entry for the current 
file will be reset and the passphrase, if any, will be required during the 
next <code>OPEN</code>. See <a href="#OPEN">OPEN</a>.
</p>
<p>The <samp>--s2k-count</samp> option sets number of hash iterations for a 
passphrase and must be either <code>0</code> to use the calibrated count of the 
machine (the default), or a value greater than or equal to <code>65536</code>. 
See <a href="#SAVE">SAVE</a>. This option has no effect for symmetrically encrypted data 
files.
</p>
<p>The <samp>--no-passphrase</samp> option will prevent requiring a passphrase for 
the data file, although a passphrase may be required when changing it.
</p>

<hr>
<a name="REALPATH"></a>
<div class="header">
<p>
Next: <a href="#RENAME" accesskey="n" rel="next">RENAME</a>, Previous: <a href="#PASSWD" accesskey="p" rel="previous">PASSWD</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="REALPATH-command"></a>
<h2 class="chapter">29 REALPATH command</h2>
<a name="index-REALPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">REALPATH [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Resolves all <code>target</code> attributes of the specified element path and 
returns the result with a data response. See <a href="#Target-Attribute">Target Attribute</a>, for details.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="RENAME"></a>
<div class="header">
<p>
Next: <a href="#RESET" accesskey="n" rel="next">RESET</a>, Previous: <a href="#REALPATH" accesskey="p" rel="previous">REALPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="RENAME-command"></a>
<h2 class="chapter">30 RENAME command</h2>
<a name="index-RENAME-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">RENAME [--inquire] [!]element[&lt;TAB&gt;[!]child[..]] &lt;value&gt;
</pre></div>

<p>Renames the specified <var>element</var> to the new <var>value</var>. If an element of 
the same name as the <var>value</var> already exists it will be overwritten.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="RESET"></a>
<div class="header">
<p>
Next: <a href="#SAVE" accesskey="n" rel="next">SAVE</a>, Previous: <a href="#RENAME" accesskey="p" rel="previous">RENAME</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="RESET-command"></a>
<h2 class="chapter">31 RESET command</h2>
<a name="index-RESET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">RESET
</pre></div>

<p>Closes the currently opened file but keeps any previously set client options.
</p>

<hr>
<a name="SAVE"></a>
<div class="header">
<p>
Next: <a href="#STORE" accesskey="n" rel="next">STORE</a>, Previous: <a href="#RESET" accesskey="p" rel="previous">RESET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="SAVE-command"></a>
<h2 class="chapter">32 SAVE command</h2>
<a name="index-SAVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">SAVE [--no-passphrase] [--reset] [--no-agent] [--s2k-count=N] [--cipher=&lt;algo&gt;] [--cipher-iterations=N] [--inquire-keyparam] [--keygrip=hexstring] [--sign-keygrip=hexstring]
</pre></div>

<p>Writes the <abbr>XML</abbr> document to disk. The file written to is the file that 
was opened using the <code>OPEN</code> command (see <a href="#OPEN">OPEN</a>). If the file is a 
new one or the option <samp>--inquire-keyparam</samp> was passed, then a new 
keypair will be generated and a pinentry will be used to prompt for the 
passphrase to encrypt with unless the <samp>--no-passphrase</samp> option was 
passed in which case the data file will not be passphrase protected. 
</p>
<p>The <samp>--no-agent</samp> option disables use of <code>gpg-agent</code> for 
passphrase retrieval and caching of new files when <code>gpg-agent</code> 
use is enabled. The datafile will be symmetrically encrypted and will not 
use or generate any keypair.
</p>
<p>The <samp>--reset</samp> option will clear the cache entry for the current file 
and require a passphrase, if needed, before saving.
</p>
<p>The <samp>--cipher</samp> option can be used to encrypt the <abbr>XML</abbr> data to 
an alternate cipher. The default is <code>aes256</code>. See the Configuration 
(see <a href="#Configuration">Configuration</a>) for available ciphers.
</p>
<p>The <samp>--cipher-iterations</samp> option  specifies the number of times to 
encrypt the XML data. The default is 0 although 1 iteration is still done.
</p>
<p>The <samp>--inquire-keyparam</samp> option will send a server <em>INQUIRE</em> to 
the client to obtain the key paramaters to use when generating a new 
keypair. The inquired data is expected to be an S-expression. If not 
specified then an &lsquo;<samp>RSA</samp>&rsquo; key of &lsquo;<samp>2048</samp>&rsquo; bits will be generated 
unless otherwise set in the configuration file (see <a href="#Configuration">Configuration</a>). Note 
that when this option is specified a new keypair will be generated 
reguardless if the file is a new one and that if the data file is protected 
the passphrase to open it will be required before generating the new keypair.
</p>
<p>You can encrypt the data file to a public key other than the one that it 
was originally encrypted with by passing the <samp>--keygrip</samp> option with 
the hex encoded keygrip of the public key as its argument. The keygrip may 
be of any key that <code>gpg-agent</code> knows about. The 
<samp>--sign-keygrip</samp> option may also be used to sign with an alternate 
secret key. This option may be needed when using a smartcard. This option 
has no effect with symmetrically encrypted data files.
</p>
<p>The <samp>--s2k-count</samp> option sets number of hash iterations for a 
passphrase. A value less-than <code>65536</code> will use the machine calibrated 
value and is the default. This setting only affects new files. To change 
the setting use the <code>PASSWD</code> command (see <a href="#PASSWD">PASSWD</a>). This option 
has no effect with symmetrically encrypted data files.
</p>

<hr>
<a name="STORE"></a>
<div class="header">
<p>
Next: <a href="#UNLOCK" accesskey="n" rel="next">UNLOCK</a>, Previous: <a href="#SAVE" accesskey="p" rel="previous">SAVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="STORE-command"></a>
<h2 class="chapter">33 STORE command</h2>
<a name="index-STORE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">STORE [!]element[&lt;TAB&gt;[!]child[..]]&lt;TAB&gt;[content]
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
</p>
<p>Creates a new element path or modifies the <var>content</var> of an existing 
element. If only a single element is specified then a new root element is 
created. Otherwise, elements are <tt class="key">TAB</tt> delimited and the content will be 
set to the final <tt class="key">TAB</tt> delimited element. If no <var>content</var> is 
specified after the final <tt class="key">TAB</tt>, then the content of the element will 
be removed, or empty when creating a new element.
</p>
<p>The only restriction of an element name is that it not contain whitespace 
or begin with the literal element character <code>!</code> unless specifying a 
literal element (see <a href="#Target-Attribute">Target Attribute</a>). There is no whitespace between 
the <tt class="key">TAB</tt> delimited elements. It is recommended that the content of an 
element be base64 encoded when it contains control or <tt class="key">TAB</tt> characters 
to prevent <abbr>XML</abbr> parsing and <code>pwmd</code> syntax errors.
</p>

<hr>
<a name="UNLOCK"></a>
<div class="header">
<p>
Next: <a href="#XPATH" accesskey="n" rel="next">XPATH</a>, Previous: <a href="#STORE" accesskey="p" rel="previous">STORE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="UNLOCK-command"></a>
<h2 class="chapter">34 UNLOCK command</h2>
<a name="index-UNLOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">UNLOCK
</pre></div>

<p>Unlocks the file mutex which was locked with the <code>LOCK</code> command or 
a commands&rsquo; <samp>--lock</samp> option (see <a href="#LOCK">LOCK</a>, see <a href="#OPEN">OPEN</a>, 
see <a href="#ISCACHED">ISCACHED</a>).
</p>

<hr>
<a name="XPATH"></a>
<div class="header">
<p>
Next: <a href="#XPATHATTR" accesskey="n" rel="next">XPATHATTR</a>, Previous: <a href="#UNLOCK" accesskey="p" rel="previous">UNLOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="XPATH-command"></a>
<h2 class="chapter">35 XPATH command</h2>
<a name="index-XPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATH [--inquire] &lt;expression&gt;[&lt;TAB&gt;[value]]
</pre></div>

<p>Evaluates an XPath <var>expression</var>. If no <var>value</var> argument is 
specified it is assumed the expression is a request to return a result. 
Otherwise, the result is set to the <var>value</var> argument and the document is 
updated. If there is no <var>value</var> after the <tt class="key">TAB</tt> character, the value 
is assumed to be empty and the document is updated. For example:
</p><br>
<div class="example">
<pre class="example">XPATH //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would clear the content of all <code>password</code> elements in the data file 
while leaving off the trailing <tt class="key">TAB</tt> would return all <code>password</code> 
elements in <abbr>XML</abbr> format.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>
<p>See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>

<hr>
<a name="XPATHATTR"></a>
<div class="header">
<p>
Previous: <a href="#XPATH" accesskey="p" rel="previous">XPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="XPATHATTR-command"></a>
<h2 class="chapter">36 XPATHATTR command</h2>
<a name="index-XPATHATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATHATTR [--inquire] SET|DELETE &lt;name&gt; &lt;expression&gt;[&lt;TAB&gt;[&lt;value&gt;]]
</pre></div>

<p>Like the <code>XPATH</code> command (see <a href="#XPATH">XPATH</a>) but operates on element 
attributes and does not return a result. For the <var>SET</var> operation the 
<var>value</var> is optional but the field is required. If not specified then 
the attribute value will be empty. For example:
</p><br>
<div class="example">
<pre class="example">XPATHATTR SET password //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would create an <code>password</code> attribute for each <code>password</code> element 
found in the document. The attribute value will be empty but still exist.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>
<p>See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>


<hr>
<a name="Status-Messages"></a>
<div class="header">
<p>
Next: <a href="#Target-Attribute" accesskey="n" rel="next">Target Attribute</a>, Previous: <a href="#Commands" accesskey="p" rel="previous">Commands</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Status-messages-and-their-meanings"></a>
<h2 class="chapter">37 Status messages and their meanings</h2>
<p>Some commands send status messages to inform the client about certain
operations or as a progress indicator.  Status messages begin with a
<code>KEYWORD</code> followed by a status description for status messages that
require it. What status messages are sent, when, and how often depend on
configuration settings (see <a href="#Configuration">Configuration</a>). A status message sent from
<code>gpg-agent</code> (See <a href="http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html#Invoking-GPG_002dAGENT">(gnupg)Invoking GPG-AGENT</a>) is also forwarded to
the client.
</p>
<table>
<thead><tr><th width="20%">Message</th><th width="25%">Arguments</th><th width="55%">Description</th></tr></thead>
<tr><td width="20%">CACHE
<a name="index-CACHE"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of cached documents. Sent to each client after connecting
(see <a href="#GETINFO">GETINFO</a>) and after every cache modification.</td></tr>
<tr><td width="20%">CLIENTS
<a name="index-CLIENTS"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of connected clients (see <a href="#GETINFO">GETINFO</a>). Sent to each client
when another client either connects or disconnects.</td></tr>
<tr><td width="20%">DECRYPT
<a name="index-DECRYPT"></a></td><td width="25%"><code>n</code> <code>total</code></td><td width="55%">Sent to the current client during a decrypt operation. How often this
status message is sent is determined by the <code>cipher_progress</code>
(see <a href="#Configuration">Configuration</a>) setting.</td></tr>
<tr><td width="20%">ENCRYPT
<a name="index-ENCRYPT"></a></td><td width="25%"><code>n</code> <code>total</code></td><td width="55%">Sent to the current client during an  encrypt operation. How often this
status message is sent is determined by the <code>cipher_progress</code>
(see <a href="#Configuration">Configuration</a>) setting.</td></tr>
<tr><td width="20%">GENKEY
<a name="index-GENKEY"></a></td><td width="25%"></td><td width="55%">Sent once to the current client just before generating a new key-pair.</td></tr>
<tr><td width="20%">INQUIRE_MAXLEN
<a name="index-INQUIRE_005fMAXLEN"></a></td><td width="25%"><code>&lt;bytes&gt;</code></td><td width="55%">Sent to the client from <code>gpg-agent</code> when inquiring data. This
specifies the maximum number of bytes allowed for the client to send and
should not be exceeded.</td></tr>
<tr><td width="20%">KEEPALIVE
<a name="index-KEEPALIVE"></a></td><td width="25%"></td><td width="55%">Sent to each idle client every <var>keepalive_interval</var>
(see <a href="#Configuration">Configuration</a>) seconds.</td></tr>
<tr><td width="20%">LOCKED
<a name="index-LOCKED"></a></td><td width="25%"></td><td width="55%">Sent to the current client when another client is holding the lock for
the mutex associated with a file.</td></tr>
<tr><td width="20%">NEWFILE
<a name="index-NEWFILE"></a></td><td width="25%"></td><td width="55%">Sent to the current client when the opened (see <a href="#OPEN">OPEN</a>) file does not
exist on the file-system.</td></tr>
<tr><td width="20%">XFER
<a name="index-XFER"></a></td><td width="25%"><code>&lt;sent&gt; &lt;total&gt;</code></td><td width="55%">Sent to the current client when transferring data. It has two space
delimited arguments. The first being the current amount of bytes transferred
and the other being the total bytes to be transferred.</td></tr>
</table>

<hr>
<a name="Target-Attribute"></a>
<div class="header">
<p>
Next: <a href="#Signals" accesskey="n" rel="next">Signals</a>, Previous: <a href="#Status-Messages" accesskey="p" rel="previous">Status Messages</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="The-target-attribute"></a>
<h2 class="chapter">38 The <code>target</code> attribute</h2>
<a name="index-target-attribute"></a>
<p>A <em>case sensitive</em> attribute named <code>target</code> is treated specially
when found in each element of an element path. This attribute, like other
element attributes, is created or modified with the <code>ATTR</code> command
(see <a href="#ATTR">ATTR</a>). The value of this attribute is an existing element path
somewhere in the document.  If you are familiar with <abbr>XML</abbr> entities or
maybe the <abbr>HTML</abbr> <code>id</code> or <code>target</code> attributes or a symbolic link
in a file-system, you may find this attribute behaves similar to any of those.
</p>
<p>To create a <code>target</code> attribute use the following syntax:
</p>
<div class="example">
<pre class="example">ATTR SET target [!]element[<span class="key">TAB</span>[!]child[..]] [!]element[<span class="key">TAB</span>[!]child[..]]
</pre></div>

<p>Note the single space between the two element paths. The first element path is
where the <code>target</code> attribute will be created. If the element path does
not exist then it will be created.  This is the only time the <code>ATTR</code>
(see <a href="#ATTR">ATTR</a>) command will create elements. The attribute is created in the
final element of the element path.
</p>
<p>The second element path is the destination of where you want the first element
path to resolve to. When an element path is passed to a protocol command
<code>pwmd</code> looks for a <code>target</code> attribute when resolving each element
and if found, &quot;jumps&quot; to the attribute value and continues resolving any
remaining elements.  When you want to avoid the <code>target</code> attribute for
any element of an element path then prefix the element with the literal
element character &lsquo;<samp>!</samp>&rsquo;.
</p>
<p>When an element of a element path is removed that a <code>target</code> attribute
resolves to then an error will occur. You may need to either update the
<code>target</code> attribute value with a new element path or remove the attribute
entirely. Remember that since the element contains the <code>target</code> attribute
it will need to be prefixed with the literal element character &lsquo;<samp>!</samp>&rsquo; when
specifying the element path. For example, to remove a <code>target</code>
attribute for an element containing it:
</p>
<div class="example">
<pre class="example">ATTR DELETE target path<span class="key">TAB</span>to<span class="key">TAB</span>!element
</pre></div>

<p>Clients should be careful of creating <code>target</code> loops, or targets that
resolve to themselves. See the <var>recursion_depth</var> (see <a href="#Configuration">Configuration</a>)
configuration parameter for details.
</p>
<p>The <code>REALPATH</code> command (see <a href="#REALPATH">REALPATH</a>) can be used to show the element
path after resolving all <code>target</code> attributes.
</p>

<hr>
<a name="Signals"></a>
<div class="header">
<p>
Next: <a href="#Concept-Index" accesskey="n" rel="next">Concept Index</a>, Previous: <a href="#Target-Attribute" accesskey="p" rel="previous">Target Attribute</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Recognized-signals"></a>
<h2 class="chapter">39 Recognized signals</h2>

<p>Sending the <em>SIGHUP</em> signal to a <code>pwmd</code> process will reload the
configuration file and sending <em>SIGUSR1</em> will clear the entire file
cache.
</p>


<hr>
<a name="Concept-Index"></a>
<div class="header">
<p>
Previous: <a href="#Signals" accesskey="p" rel="previous">Signals</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Concept-Index-1"></a>
<h2 class="unnumbered">Concept Index</h2>


<a name="SEC_Overview"></a>
<h2 class="shortcontents-heading">Short Table of Contents</h2>

<div class="shortcontents">
<ul class="no-bullet">
<li><a name="stoc-Overview-of-pwmd" href="#toc-Overview-of-pwmd">1 Overview of <code>pwmd</code></a></li>
<li><a name="stoc-Invoking-pwmd" href="#toc-Invoking-pwmd">2 Invoking <code>pwmd</code></a></li>
<li><a name="stoc-pwmd-configuration-file-options" href="#toc-pwmd-configuration-file-options">3 <code>pwmd</code> configuration file options</a></li>
<li><a name="stoc-Configuring-remote-connections-over-TLS_002e" href="#toc-Configuring-remote-connections-over-TLS_002e">4 Configuring remote connections over TLS.</a></li>
<li><a name="stoc-Pinentry-configuration" href="#toc-Pinentry-configuration">5 Pinentry configuration</a></li>
<li><a name="stoc-Protocol-commands-and-their-syntax" href="#toc-Protocol-commands-and-their-syntax">6 Protocol commands and their syntax</a></li>
<li><a name="stoc-AGENT-command" href="#toc-AGENT-command">7 AGENT command</a></li>
<li><a name="stoc-ATTR-command" href="#toc-ATTR-command">8 ATTR command</a></li>
<li><a name="stoc-CACHETIMEOUT-command" href="#toc-CACHETIMEOUT-command">9 CACHETIMEOUT command</a></li>
<li><a name="stoc-CLEARCACHE-command" href="#toc-CLEARCACHE-command">10 CLEARCACHE command</a></li>
<li><a name="stoc-COPY-command" href="#toc-COPY-command">11 COPY command</a></li>
<li><a name="stoc-DELETE-command" href="#toc-DELETE-command">12 DELETE command</a></li>
<li><a name="stoc-DUMP-command" href="#toc-DUMP-command">13 DUMP command</a></li>
<li><a name="stoc-GET-command" href="#toc-GET-command">14 GET command</a></li>
<li><a name="stoc-GETCONFIG-command" href="#toc-GETCONFIG-command">15 GETCONFIG command</a></li>
<li><a name="stoc-GETINFO-command" href="#toc-GETINFO-command">16 GETINFO command</a></li>
<li><a name="stoc-HELP-command" href="#toc-HELP-command">17 HELP command</a></li>
<li><a name="stoc-IMPORT-command" href="#toc-IMPORT-command">18 IMPORT command</a></li>
<li><a name="stoc-ISCACHED-command" href="#toc-ISCACHED-command">19 ISCACHED command</a></li>
<li><a name="stoc-KEYGRIP-command" href="#toc-KEYGRIP-command">20 KEYGRIP command</a></li>
<li><a name="stoc-LIST-command" href="#toc-LIST-command">21 LIST command</a></li>
<li><a name="stoc-LOCK-command" href="#toc-LOCK-command">22 LOCK command</a></li>
<li><a name="stoc-LS-command" href="#toc-LS-command">23 LS command</a></li>
<li><a name="stoc-MOVE-command" href="#toc-MOVE-command">24 MOVE command</a></li>
<li><a name="stoc-NOP-command" href="#toc-NOP-command">25 NOP command</a></li>
<li><a name="stoc-OPEN-command" href="#toc-OPEN-command">26 OPEN command</a></li>
<li><a name="stoc-OPTION-command" href="#toc-OPTION-command">27 OPTION command</a></li>
<li><a name="stoc-PASSWD-command" href="#toc-PASSWD-command">28 PASSWD command</a></li>
<li><a name="stoc-REALPATH-command" href="#toc-REALPATH-command">29 REALPATH command</a></li>
<li><a name="stoc-RENAME-command" href="#toc-RENAME-command">30 RENAME command</a></li>
<li><a name="stoc-RESET-command" href="#toc-RESET-command">31 RESET command</a></li>
<li><a name="stoc-SAVE-command" href="#toc-SAVE-command">32 SAVE command</a></li>
<li><a name="stoc-STORE-command" href="#toc-STORE-command">33 STORE command</a></li>
<li><a name="stoc-UNLOCK-command" href="#toc-UNLOCK-command">34 UNLOCK command</a></li>
<li><a name="stoc-XPATH-command" href="#toc-XPATH-command">35 XPATH command</a></li>
<li><a name="stoc-XPATHATTR-command" href="#toc-XPATHATTR-command">36 XPATHATTR command</a></li>
<li><a name="stoc-Status-messages-and-their-meanings" href="#toc-Status-messages-and-their-meanings">37 Status messages and their meanings</a></li>
<li><a name="stoc-The-target-attribute" href="#toc-The-target-attribute">38 The <code>target</code> attribute</a></li>
<li><a name="stoc-Recognized-signals" href="#toc-Recognized-signals">39 Recognized signals</a></li>
<li><a name="stoc-Concept-Index-1" href="#toc-Concept-Index-1">Concept Index</a></li>

</ul>
</div>

<a name="SEC_Contents"></a>
<h2 class="contents-heading">Table of Contents</h2>

<div class="contents">
<ul class="no-bullet">
<li><a name="toc-Overview-of-pwmd" href="#Introduction">1 Overview of <code>pwmd</code></a></li>
<li><a name="toc-Invoking-pwmd" href="#Invoking">2 Invoking <code>pwmd</code></a></li>
<li><a name="toc-pwmd-configuration-file-options" href="#Configuration">3 <code>pwmd</code> configuration file options</a></li>
<li><a name="toc-Configuring-remote-connections-over-TLS_002e" href="#TLS">4 Configuring remote connections over TLS.</a></li>
<li><a name="toc-Pinentry-configuration" href="#Pinentry">5 Pinentry configuration</a></li>
<li><a name="toc-Protocol-commands-and-their-syntax" href="#Commands">6 Protocol commands and their syntax</a></li>
<li><a name="toc-AGENT-command" href="#AGENT">7 AGENT command</a></li>
<li><a name="toc-ATTR-command" href="#ATTR">8 ATTR command</a></li>
<li><a name="toc-CACHETIMEOUT-command" href="#CACHETIMEOUT">9 CACHETIMEOUT command</a></li>
<li><a name="toc-CLEARCACHE-command" href="#CLEARCACHE">10 CLEARCACHE command</a></li>
<li><a name="toc-COPY-command" href="#COPY">11 COPY command</a></li>
<li><a name="toc-DELETE-command" href="#DELETE">12 DELETE command</a></li>
<li><a name="toc-DUMP-command" href="#DUMP">13 DUMP command</a></li>
<li><a name="toc-GET-command" href="#GET">14 GET command</a></li>
<li><a name="toc-GETCONFIG-command" href="#GETCONFIG">15 GETCONFIG command</a></li>
<li><a name="toc-GETINFO-command" href="#GETINFO">16 GETINFO command</a></li>
<li><a name="toc-HELP-command" href="#HELP">17 HELP command</a></li>
<li><a name="toc-IMPORT-command" href="#IMPORT">18 IMPORT command</a></li>
<li><a name="toc-ISCACHED-command" href="#ISCACHED">19 ISCACHED command</a></li>
<li><a name="toc-KEYGRIP-command" href="#KEYGRIP">20 KEYGRIP command</a></li>
<li><a name="toc-LIST-command" href="#LIST">21 LIST command</a></li>
<li><a name="toc-LOCK-command" href="#LOCK">22 LOCK command</a></li>
<li><a name="toc-LS-command" href="#LS">23 LS command</a></li>
<li><a name="toc-MOVE-command" href="#MOVE">24 MOVE command</a></li>
<li><a name="toc-NOP-command" href="#NOP">25 NOP command</a></li>
<li><a name="toc-OPEN-command" href="#OPEN">26 OPEN command</a></li>
<li><a name="toc-OPTION-command" href="#OPTION">27 OPTION command</a></li>
<li><a name="toc-PASSWD-command" href="#PASSWD">28 PASSWD command</a></li>
<li><a name="toc-REALPATH-command" href="#REALPATH">29 REALPATH command</a></li>
<li><a name="toc-RENAME-command" href="#RENAME">30 RENAME command</a></li>
<li><a name="toc-RESET-command" href="#RESET">31 RESET command</a></li>
<li><a name="toc-SAVE-command" href="#SAVE">32 SAVE command</a></li>
<li><a name="toc-STORE-command" href="#STORE">33 STORE command</a></li>
<li><a name="toc-UNLOCK-command" href="#UNLOCK">34 UNLOCK command</a></li>
<li><a name="toc-XPATH-command" href="#XPATH">35 XPATH command</a></li>
<li><a name="toc-XPATHATTR-command" href="#XPATHATTR">36 XPATHATTR command</a></li>
<li><a name="toc-Status-messages-and-their-meanings" href="#Status-Messages">37 Status messages and their meanings</a></li>
<li><a name="toc-The-target-attribute" href="#Target-Attribute">38 The <code>target</code> attribute</a></li>
<li><a name="toc-Recognized-signals" href="#Signals">39 Recognized signals</a></li>
<li><a name="toc-Concept-Index-1" href="#Concept-Index">Concept Index</a></li>

</ul>
</div>

<hr>



</body>
</html>