Add SAVE --ask.

[pwmd.git] / doc / pwmd.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.0, http://www.gnu.org/software/texinfo/ -->
<head>
<title>PWMD Manual</title>

<meta name="description" content="PWMD Manual">
<meta name="keywords" content="PWMD Manual">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="#Top" rel="start" title="Top">
<link href="#SEC_Contents" rel="contents" title="Table of Contents">
<link href="dir.html#Top" rel="up" title="(dir)">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nocodebreak {white-space: nowrap}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: serif; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>


</head>

<body lang="en">
<h1 class="settitle" align="center">PWMD Manual</h1>




<a name="Top"></a>
<div class="header">
<p>
Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<h1 class="node-heading">Top</h1>
 
 
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#Introduction" accesskey="1">Introduction</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Overview of pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Access-Control" accesskey="2">Access Control</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">ACL of a single XML element.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Invoking" accesskey="3">Invoking</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Command line options.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Configuration" accesskey="4">Configuration</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file options.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Commands" accesskey="5">Commands</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Protocol commands.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Status-Messages" accesskey="6">Status Messages</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Status lines and their meaning.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Target-Attribute" accesskey="7">Target Attribute</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">A kind of symbolic link.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Signals" accesskey="8">Signals</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Signals known to pwmd.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Concept-Index" accesskey="9">Concept Index</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Index of concepts.
</td></tr>
</table>

<hr>
<a name="Introduction"></a>
<div class="header">
<p>
Next: <a href="#Access-Control" accesskey="n" rel="next">Access Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Overview-of-pwmd"></a>
<h2 class="chapter">1 Overview of <code>pwmd</code></h2>






<p><code>pwmd</code> or <em>Password Manager Daemon</em> is a server that
applications connect to and send commands to store and retrieve data
that is saved in an encrypted <abbr>XML</abbr> document.
</p>
<p>The server uses the Assuan protocol (See <a href="http://www.gnupg.org/documentation/manuals/assuan/Implementation.html#Implementation">(assuan)Implementation</a>) which
is the same used by <code>gpg-agent</code>, <code>pinentry</code> and
<code>scdaemon</code>. It also uses <cite>libgpg-error</cite> for error reporting with
the error source set as <var>GPG_ERR_SOURCE_USER_1</var>.
</p>

<p>The <abbr>XML</abbr> document uses the following <abbr>DTD</abbr>:
</p>
<div class="example">
<pre class="example">    &lt;?xml version=&quot;1.0&quot;?&gt;
    &lt;!DOCTYPE pwmd [
    &lt;!ELEMENT pwmd (element*)&gt;
    &lt;!ATTLIST element _name CDATA #REQUIRED&gt;
    ]&gt;
</pre></div>

<p>The <code>pwmd</code> element is the document root node while all other elements
of the document have the name <code>element</code> with an attribute <code>_name</code>
whose value uniquely identifies the element at the current element tree depth.
It is done this way to avoid <abbr>XML</abbr> parsing errors for commonly used
characters.  A <abbr>URL</abbr> for example would be an invalid <abbr>XML</abbr> element
since the <abbr>URI</abbr> contains a &lsquo;<samp>:</samp>&rsquo; which is also the <abbr>XML</abbr>
namespace separator.
</p>
<p>As mentioned, an element name must be unique for the current element tree
depth. You cannot have two elements containing the same <code>_name</code> attribute
value. <code>pwmd</code> will stop searching for an element of an <em>element
path</em> at the first match then continue searching for the next element of the
element path beginning at the child node of the matched element.
</p>
<p>An <em>element path</em> is a <tt class="key">TAB</tt> delimited character string where each
<tt class="key">TAB</tt> separates each element in the path.  For example, the element path
<code>a<span class="key">TAB</span>b<span class="key">TAB</span>c</code> has the following <abbr>XML</abbr> document structure:
</p>
<div class="example">
<pre class="example">   &lt;pwmd&gt;
            &lt;element _name=&quot;a&quot;&gt;
                &lt;element _name=&quot;b&quot;&gt;
                    &lt;element _name=&quot;c&quot;&gt;
                        [... element value or content ...]
                    &lt;/element&gt;
                &lt;/element&gt;
            &lt;/element&gt;
        &lt;/pwmd&gt;
</pre></div>

<p>The only restriction of an element name is that it contain no whitespace
characters. It also cannot begin with a &lsquo;<samp>!</samp>&rsquo; since this character is
reserved for the <code>target</code> attribute. See <a href="#Target-Attribute">Target Attribute</a>.
</p>
<hr>
<a name="Access-Control"></a>
<div class="header">
<p>
Next: <a href="#Invoking" accesskey="n" rel="next">Invoking</a>, Previous: <a href="#Introduction" accesskey="p" rel="prev">Introduction</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Access-Control-1"></a>
<h2 class="chapter">2 Access Control</h2>

<p>Like a filesystem has an <abbr>ACL</abbr> to grant or limit access to directories or
files for a specific user or group, <code>pwmd</code> can limit a local user,
group or a TLS connection to a specific element path. This is done by storing
an ACL in the element attribute <var>_acl</var>. Its syntax is similar to the
<var>allowed</var> configuration parameter (see <a href="#Configuration">Configuration</a>) with the
exception that a TLS fingerprint hash is prefixed with a <code>#</code>.
</p>
<p>Access is denied for all users that are not in the <abbr>ACL</abbr> of an element
with the exception of the invoking user (see the <var>invoking_user</var>.  The
connected client must be in the <abbr>ACL</abbr> for each element in an element path
otherwise an error is returned.  As an example:
</p>
<div class="example">
<pre class="example">&lt;element _name=&quot;test&quot; _acl=&quot;username,-@wheel,root,#ABCDEF&quot;&gt;
        &lt;element _name=&quot;child&quot;/&gt;
&lt;/element&gt;
</pre></div>

<p>The user <code>username</code> would be allowed access to the <code>test</code> element
but not if it is a member of the <code>wheel</code> group although the <code>root</code>
user, who may be a member of the <code>wheel</code> group, is allowed. The SHA-256
TLS fingerprint hash <code>#ABCDEF</code> is also allowed.  No users other than the
<var>invoking_user</var> are allowed access to the <code>child</code> element.
</p>
<p>The first user listed in the <abbr>ACL</abbr> is considered the owner of the
element. This determines which clients may modify an <var>_acl</var> attribute and
store content for an element. The <var>invoking_user</var> may always modify an 
<abbr>ACL</abbr>.
</p>
<hr>
<a name="Invoking"></a>
<div class="header">
<p>
Next: <a href="#Configuration" accesskey="n" rel="next">Configuration</a>, Previous: <a href="#Access-Control" accesskey="p" rel="prev">Access Control</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Invoking-pwmd"></a>
<h2 class="chapter">3 Invoking <code>pwmd</code></h2>



<p>When <code>pwmd</code> is started with the <samp>--use-agent</samp> command
line option then <code>pwmd</code> will use <code>gpg-agent</code> for key
generation, decryption, signing and caching of passphrases as the
default rather than symmetrically encrypted data files.
<code>gpg-agent</code> must be running prior to <code>pwmd</code> startup when
this option is enabled.
</p>
<p>It is recommended to pass the <samp>--allow-preset-passphrase</samp>
command line option to <code>gpg-agent</code>. Doing so allows <code>pwmd</code>
cache pushing on startup. It is also recommended to pass the
<samp>--allow-loopback-pinentry</samp> to <code>gpg-agent</code>. This option allows
a passphrase to be inquired from <code>pwmd</code> when a <code>pinentry</code> is
unavailable to the client.
</p>
<a name="index-Running-pwmd"></a>
<p><code>pwmd</code> is executed as follows: 
</p> 
<div class="example">
<pre class="example">pwmd <var>options</var> [ file1 ] [ &hellip; ]
</pre></div>

<p>Non-option arguments are data files to cache on startup. When the data file
requires a passphrase for decryption a <code>pinentry</code> will prompt either
on the current <abbr>TTY</abbr> or from an X11 window when the <code>DISPLAY</code>
environment variable is set.
</p>
<a name="index-Options"></a>
<a name="index-Arguments"></a>
<p>The following command line options are supported:
</p>
<a name="index-Getting-help"></a>
<dl compact="compact">
<dt>&lsquo;<samp>--homedir directory</samp>&rsquo;</dt>
<dd><p>The root directory where pwmd will store its data and temporary files.  The
default is <samp>~/.pwmd</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--rcfile, -f rcfile</samp>&rsquo;</dt>
<dd><p>Specify an alternate configuration file. The default is
<samp>~/.pwmd/config</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--kill</samp>&rsquo;</dt>
<dd><p>Terminate an existing instance of pwmd. The process to terminate is determined
from the <samp>--homedir</samp> and <samp>--rcfile</samp> options.
</p>
</dd>
<dt>&lsquo;<samp>--use-agent [integer]</samp>&rsquo;</dt>
<dd><p>Enable the use of <code>gpg-agent</code> and add support for data files
encrypted with a keypair. Files previously handled by
<code>gpg-agent</code> when this option is not specified will no longer be
able to be opened and new data files are symmetrically or conventionally
encrypted and without a public and private key. If specified, both data file
types are supported. The optional argument overrides any configuration file
value specified with the <samp>--rcfile</samp> option.
</p>
</dd>
<dt>&lsquo;<samp>--import, -I filename</samp>&rsquo;</dt>
<dd><p>Imports an <abbr>XML</abbr> file. The <abbr>XML</abbr> file should be in conformance to
the <code>pwmd</code> <abbr>DTD</abbr> (see <a href="#Introduction">Introduction</a>). You
will be prompted for a passphrase to encrypt with.  The output is written to
the filename specified with <samp>--outfile</samp>. To make use of the imported
data, place the output file in <samp>~/.pwmd/data</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--keyparam S-expression</samp>&rsquo;</dt>
<dd><p>The key parameters to use when generating a new key pair while importing an
<abbr>XML</abbr> file or when converting a <em>version 2</em> data file. The argument
must be a valid S-expression (See <a href="http://www.gnupg.org/documentation/manuals/gcrypt/S_002dexpressions.html#S_002dexpressions">(gcrypt)S-expressions</a>).
</p>
</dd>
<dt>&lsquo;<samp>--keygrip hexstring</samp>&rsquo;</dt>
<dd><p>Specifies the hexadecimal encoded public key-grip to use for encryption when
importing or converting. When not specified a new key-pair will be created.
</p>
</dd>
<dt>&lsquo;<samp>--sign-keygrip hexstring</samp>&rsquo;</dt>
<dd><p>Specifies the hexadecimal encoded public key-grip to use for signing of the
data file when importing or converting. When not specified the generated
public key or the key specified with the <samp>--keygrip</samp> option will be
used.
</p>
</dd>
<dt>&lsquo;<samp>--passphrase-file, -k filename&quot;</samp>&rsquo;</dt>
<dd><p>Obtain the passphrase from the specified filename.
</p>
</dd>
<dt>&lsquo;<samp>--s2k-count iterations</samp>&rsquo;</dt>
<dd><p>The number of times to hash the passphrase when importing or converting.  The
default is the gpg-agent calibrated value of the machine. When less than
&lsquo;<samp>65536</samp>&rsquo; the default will be used. When not using <code>gpg-agent</code> this
is option is an alias for <samp>--cipher-iterations</samp>.
</p>
</dd>
<dt>&lsquo;<samp>--cipher-iterations iterations</samp>&rsquo;</dt>
<dd><p>The number of times to hash the passphrase used for <code>pwmd</code> symmetric
format data files.  The default is <code>5000000</code>.
</p>
<p>This option behaves the same as the <var>&ndash;s2k-count</var> option when not using
<code>gpg-agent</code> and has no effect when using <code>gpg-agent</code>. In
versions prior to <code>pwmd</code> <var>3.0.15</var> this option was a count to
specify the number of times to encrypt the XML data with the chosen cipher and
was a security risk since the iteration count of the passphrase hash was a low
static compile time value.
</p>
</dd>
<dt>&lsquo;<samp>--cipher algo</samp>&rsquo;</dt>
<dd><p>When importing, the cipher to use for data encryption.  See the <var>cipher</var>
configuration parameter (see <a href="#Configuration">Configuration</a>) for available ciphers. The
default is &lsquo;<samp>aes256</samp>&rsquo;.
</p>
</dd>
<dt>&lsquo;<samp>--convert, -C filename</samp>&rsquo;</dt>
<dd><p>Converts a <code>pwmd</code> <em>version 2</em> data file to a <em>version 3</em>
data file. If encrypted, you will be prompted for a passphrase to use for
decryption unless <samp>--passphrase-file</samp> was specified. The converted data
file will be saved to the filename specified with <samp>--outfile</samp>. All
<samp>--import</samp> related options may also be used when converting.
</p>
</dd>
<dt>&lsquo;<samp>--disable-dump, -D</samp>&rsquo;</dt>
<dd><p>Disable the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and <code>DUMP</code>
protocol commands (see <a href="#Commands">Commands</a>). This overrides any
<var>disable_list_and_dump</var> configuration parameter (see <a href="#Configuration">Configuration</a>).
</p>
</dd>
<dt>&lsquo;<samp>--no-fork, -n</samp>&rsquo;</dt>
<dd><p>Run as a foreground process and do not fork into the background.
</p>
</dd>
<dt>&lsquo;<samp>--ignore, --force</samp>&rsquo;</dt>
<dd><p>Ignore cache pushing failures on startup. By default, <code>pwmd</code> will exit
if an error occurred do to an invalid passphrase or other error.
</p>
</dd>
<dt>&lsquo;<samp>--debug-level keyword,keyword,...</samp>&rsquo;</dt>
<dd><p>Output libassuan See <a href="http://www.gnupg.org/documentation/manuals/assuan/index.html#Top">(assuan)Top</a> protocol IO with the comma
separated list of output keywords.  Valid keywords are: <code>init</code>,
<code>ctx</code>, <code>engine</code>, <code>data</code>, <code>sysio</code> and <code>control</code>.
</p>
</dd>
<dt>&lsquo;<samp>--version</samp>&rsquo;</dt>
<dd><p>Show the version, copyright and compile time features and exit.
</p>
</dd>
<dt>&lsquo;<samp>--help</samp>&rsquo;</dt>
<dd><p>Print a summary of options.
</p></dd>
</dl>


<hr>
<a name="Configuration"></a>
<div class="header">
<p>
Next: <a href="#TLS" accesskey="n" rel="next">TLS</a>, Previous: <a href="#Invoking" accesskey="p" rel="prev">Invoking</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="pwmd-configuration-file-options"></a>
<h2 class="chapter">4 <code>pwmd</code> configuration file options</h2>


<p>If no configuration file is specified with the <code>pwmd</code> <samp>-f</samp>
command line option, <code>pwmd</code> will read <samp>~/.pwmd/config</samp> if it
exists, and if not, will use defaults.  Blank lines and lines beginning with
&lsquo;<samp>#</samp>&rsquo; are ignored. Some parameters may have data file specific settings by
placing them in a file section. A file section is declared by surrounding the
filename with braces (i.e., &lsquo;<samp>[filename]</samp>&rsquo;).  Global options may be
specified in a &lsquo;<samp>[global]</samp>&rsquo; section and are the default options for new or
unspecified files.
</p>
<p>A tilde <tt class="key">~</tt> will be expanded to the home directory of the invoking user
when contained in a parameter whose value is a filename.
</p>
<a name="index-Reloading-the-configuration-file"></a>
<p>The configuration file can be reloaded by sending the <em>SIGHUP</em> signal to
a <code>pwmd</code> process.
</p>
<a name="index-Global-configuration-options"></a>
<p>The following options are only for use in the &lsquo;<samp>global</samp>&rsquo; section:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>socket_path = /path/to/socket</samp>&rsquo;</dt>
<dd><p>Listen on the specified socket. The default is <samp>~/.pwmd/socket</samp>.
</p>
</dd>
<dt>&lsquo;<samp>socket_perms = octal_mode</samp>&rsquo;</dt>
<dd><p>Permissions to set after creating the socket. This will override any
<cite>umask(2)</cite> setting.
</p>
</dd>
<dt>&lsquo;<samp>invoking_user = [-!]user,[-!]@group,[-!]#SHA-256,...</samp>&rsquo;</dt>
<dd><p>This parameter is not to be confused with setuid or setguid upon startup. It&rsquo;s
syntax is the same as the <code>allowed</code> parameter except that it is a list of
local username, group name and TLS fingerprint hashes that may use the
<code>XPATH</code>, <code>XPATHATTR</code> and <code>DUMP</code> commands (except when
disabled with the <code>disable_list_and_dump</code> option) and also who may modify
elements that have no <code>_acl</code> attribute or is not listed in an
<code>_acl</code>. It is similar to the system administrator root account but for a
data file and element paths (see <a href="#Access-Control">Access Control</a>). The default is the user
the executes <code>pwmd</code>.
</p>
</dd>
<dt>&lsquo;<samp>invoking_file = filename</samp>&rsquo;</dt>
<dd><p>A file containing one ACL entry per line. Lines beginning with a <code>;</code> are
ignored. An entry has the same syntax as the <code>invoking_user</code> parameter.
When both this parameter and the <code>invoking_user</code> parameter are specified
then the <code>invoking_file</code> entries will be appended to the
<code>invoking_user</code> parameter value.
</p>
</dd>
<dt>&lsquo;<samp>strict_kill = boolean</samp>&rsquo;</dt>
<dd><p>When <code>false</code>, the <code>KILL</code> command (see <a href="#KILL">KILL</a>) will allow killing
another client that is not of the same <code>UID</code> or <abbr>TLS</abbr> fingerprint of
the current client and when not the <code>invoking_user</code>. The default us
<code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>allowed = [-!]user,[-!]@group,[+,][-!]#SHA-256,...</samp>&rsquo;</dt>
<dd><p>A comma separated list of local user names, group names or <abbr>TLS</abbr>
fingerprint <abbr>SHA</abbr>-256 hashes (in the case of a remote client) who are
allowed to connect.  Groups should be prefixed with a &lsquo;<samp>@</samp>&rsquo;. When not
specified only the invoking user may connect. A username, group name or hash
may also be prefixed with a <code>-</code> or <code>!</code> to prevent access to a specific
user or group in the list. The order of the list is important since a user may
be of multiple groups.
</p>
<p>This parameter may also be specified in a filename section to allow or deny a
client to <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) a data file. It also affects the cache
commands <code>CLEARCACHE</code> (see <a href="#CLEARCACHE">CLEARCACHE</a>) and <code>CACHETIMEOUT</code>
(see <a href="#CACHETIMEOUT">CACHETIMEOUT</a>). When not specified in a file section any user that can
connect may also open the filename.
</p>
<p>The following example would deny all users in group <code>primary</code> but
allow <code>username</code> who may be a member of <code>primary</code>. It will also
allow any TLS client except for the client with <abbr>TLS</abbr> fingerprint hash
<code>#ABCDEF</code>:
</p>
<div class="example">
<pre class="example">allowed=-@primary,username,+,!#ABCDEF
</pre></div>

</dd>
<dt>&lsquo;<samp>allowed_file = filename</samp>&rsquo;</dt>
<dd><p>A file containing one ACL entry per line. Lines beginning with a <code>;</code> are
ignored. An entry has the same syntax as the <code>allowed</code> parameter. When
both this parameter and the <code>allowed</code> parameter are specified then the
<code>allowed_file</code> entries will be appended to the <code>allowed</code> parameter
value.
</p>
</dd>
<dt>&lsquo;<samp>disable_mlockall = boolean</samp>&rsquo;</dt>
<dd><p>When set to <code>false</code>, <cite>mlockall(2)</cite> will be called on startup.  This
will use more physical memory but may also be more secure since no swapping to
disk will occur. The default is <var>true</var>.
</p>
</dd>
<dt>&lsquo;<samp>log_path = /path/to/logfile</samp>&rsquo;</dt>
<dd><p>Logs informational messages to the specified file. The default is
<samp>~/.pwmd/log</samp>.
</p>
</dd>
<dt>&lsquo;<samp>enable_logging = boolean</samp>&rsquo;</dt>
<dd><p>Enable or disable logging to <var>log_path</var>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>log_keepopen = boolean</samp>&rsquo;</dt>
<dd><p>When set to <code>false</code>, the log file specified with <var>log_path</var> will be
closed after writing each line. The default is <code>true</code>.
</p>
</dd>
<dt>&lsquo;<samp>syslog = boolean</samp>&rsquo;</dt>
<dd><p>Enable logging to <cite>syslog(8)</cite> with facility <em>LOG_DAEMON</em> and priority
<em>LOG_INFO</em>. The default is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>log_level = level</samp>&rsquo;</dt>
<dd><p>When <code>0</code>, only connections and errors are logged. When <code>1</code>, client
commands are also logged. When <code>2</code>, the command arguments are also logged.
The default is <code>0</code>.
</p>
</dd>
<dt>&lsquo;<samp>use_agent = boolean</samp>&rsquo;</dt>
<dd><p>When true, enable <code>gpg-agent</code> support (see <a href="#Invoking">Invoking</a>).
</p>
</dd>
<dt>&lsquo;<samp>gpg_agent_socket = /path/to/filename</samp>&rsquo;</dt>
<dd><p>The location of the <code>gpg-agent</code> socket. The default is
<code>~/.gnupg/S.gpg-agent</code>.
</p>
</dd>
<dt>&lsquo;<samp>kill_scd = boolean</samp>&rsquo;</dt>
<dd><p>Kill <code>scdaemon</code> after each <code>OPEN</code> (see <a href="#OPEN">OPEN</a>) or <code>SAVE</code>
(see <a href="#SAVE">SAVE</a>) command.
</p>
</dd>
<dt>&lsquo;<samp>require_save_key = boolean</samp>&rsquo;</dt>
<dd><p>Require the passphrase needed to open a data file before writing changes
of the documment to disk reguardless of the key cache status.
</p>
</dd>
<dt>&lsquo;<samp>disable_list_and_dump = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and
<code>DUMP</code> protocol commands (see <a href="#Commands">Commands</a>) will be disabled.
</p>
</dd>
<dt>&lsquo;<samp>cache_push = file1,file2</samp>&rsquo;</dt>
<dd><p>A comma separated list of filenames that will be pushed into the file cache
upon startup. <code>pwmd</code> will prompt for the passphrase for each file unless
specified with the <var>passphrase</var> or <var>passphrase_file</var> parameters in a
matching file section.
</p>
</dd>
<dt>&lsquo;<samp>priority = integer</samp>&rsquo;</dt>
<dd><p>The priority, or niceness, of the server. The default is inherited from the
parent process.
</p>
</dd>
<dt>&lsquo;<samp>cipher = algorithm</samp>&rsquo;</dt>
<dd><p>The default cipher to use for data encryption when saving (see <a href="#SAVE">SAVE</a>) a new
file. The algorithm must be one of: <code>aes128</code>, <code>aes192</code>,
<code>aes256</code>, <code>serpent128</code>, <code>serpent192</code>, <code>serpent256</code>,
<code>camellia128</code>, <code>camellia192</code>, <code>camellia256</code>, <code>3des</code>,
<code>cast5</code>, <code>blowfish</code>, <code>twofish128</code> or <code>twofish256</code>. The
default is <code>aes256</code>.
</p>
</dd>
<dt>&lsquo;<samp>cipher_iterations = integer</samp>&rsquo;</dt>
<dd><p>The number of times to encrypt the XML data. This differs from the
<var>s2k_count</var> parameter which specifies the number of times to hash the
passphrase used to encrypt the data. The default is 0 although at least 1
iteration is always done.
</p>
</dd>
<dt>&lsquo;<samp>keyparam = s-expression</samp>&rsquo;</dt>
<dd><p>The default key parameters to use when generating a new key-pair. The default
is <code>RSA</code> with <code>2048</code> bits. Note that only the <abbr>RSA</abbr> and
<abbr>ELG</abbr> algorithms as the encryption algorithm are supported at the moment.
Both <abbr>RSA</abbr> and <abbr>DSA</abbr> keys may be used for signing.
</p>
</dd>
<dt>&lsquo;<samp>pinentry_path = /path/to/pinentry</samp>&rsquo;</dt>
<dd><p>The location of the <code>pinentry</code> binary. This program is used to
prompt for a passphrase when not using <code>gpg-agent</code>. The default
is specified at compile time.
</p>
</dd>
<dt>&lsquo;<samp>pinentry_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to wait for a pinentry before giving up and
returning an error. This timeout value is used for both waiting for
another pinentry to complete and for the pinentry waiting for user input.
</p>
</dd>
<dt>&lsquo;<samp>lock_timeout = integer</samp>&rsquo;</dt>
<dd><p>The default timeout in tenths of a second before giving up waiting for a file
lock and returning an error. The default is <code>50</code>.
</p>
</dd>
<dt>&lsquo;<samp>send_state = integer</samp>&rsquo;</dt>
<dd><p>Whether to send client state changes of the current client to all connected
clients. When <code>0</code> no client state changes will be sent although a client
state may be obtained with the <code>GETINFO</code> command (see <a href="#GETINFO">GETINFO</a>). When
<code>1</code> a status message will be sent to all connected clients.  When
<code>2</code> the status message will be sent only to the <code>invoking_user</code>
(see <a href="#Configuration">Configuration</a>). The default is <code>2</code>.  Disabling this option can
significantly increase the performance of <code>pwmd</code> when there are many
connected clients.
</p></dd>
</dl>

<a name="index-Data-file-configuration-options"></a>
<p>The following options are defaults for new files when specified in the
&lsquo;<samp>global</samp>&rsquo; section. When placed in a data file section they are options
specific to that data file only.
</p>
<dl compact="compact">
<dt>&lsquo;<samp>backup = boolean</samp>&rsquo;</dt>
<dd><p>Whether to create a backup of the data file when saving. The backup filename
has the <samp>.backup</samp> extension appended to the opened file. The default is
<code>true</code>. 
</p>
</dd>
<dt>&lsquo;<samp>cache_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to keep the cache entry for this file. If <code>-1</code>, the
cache entry is kept forever. If <code>0</code>, each time an encrypted file is
<code>OPEN</code>ed (see <a href="#OPEN">OPEN</a>) a passphrase will be required. The default
is <code>600</code> or 10 minutes.
</p>
</dd>
<dt>&lsquo;<samp>xfer_progress = bytes</samp>&rsquo;</dt>
<dd><p>Commands that send data lines to the client will also send the <code>XFER</code>
status message (see <a href="#Status-Messages">Status Messages</a>) after the specified number of bytes
have been sent. The number of bytes is rounded to <var>ASSUAN_LINELENGTH</var> or
<code>1002</code> bytes. The default is <code>8196</code>.
</p>
</dd>
<dt>&lsquo;<samp>passphrase = string</samp>&rsquo;</dt>
<dd><p>The passphrase to use for this file. If specified in the &lsquo;<samp>global</samp>&rsquo; section
then &lsquo;<samp>global</samp>&rsquo; is treated as a data filename and not a default for other
files. Note that if a client changes the passphrase for this data file then
this value is not modified and will need to be updated.
</p>
</dd>
<dt>&lsquo;<samp>passphrase_file = /path/to/file</samp>&rsquo;</dt>
<dd><p>Same as the <var>passphrase</var> parameter above but obtains the passphrase from
the specified filename.
</p>
</dd>
<dt>&lsquo;<samp>recursion_depth = integer</samp>&rsquo;</dt>
<dd><p>The maximum number of times to resolve a <code>target</code> attribute for an
element in an element path (see <a href="#Target-Attribute">Target Attribute</a>). An error is returned
when this value is exceeded.  The default is <code>100</code> but can be disabled by
setting to <code>0</code> (<em>not recommended</em>).
</p>
</dd>
<dt>&lsquo;<samp>allowed = [-]user,[-]@group,...</samp>&rsquo;</dt>
<dd><p>Same parameter value as the <code>allowed</code> parameter mentioned above in
the &lsquo;<samp>global</samp>&rsquo; section but grants or denies a local user from opening
a specific data file. The default is the same as the &lsquo;<samp>global</samp>&rsquo; section.
</p></dd>
</dl>

<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#TLS" accesskey="1">TLS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Remote connections over TLS.
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#Pinentry" accesskey="2">Pinentry</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">Configuration file and defaults.
</td></tr>
</table>

<hr>
<a name="TLS"></a>
<div class="header">
<p>
Next: <a href="#Pinentry" accesskey="n" rel="next">Pinentry</a>, Previous: <a href="#Configuration" accesskey="p" rel="prev">Configuration</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Configuring-remote-connections-over-TLS_002e"></a>
<h2 class="chapter">5 Configuring remote connections over TLS.</h2>

<p>Connections can also be made to <code>pwmd</code> over <abbr>TLS</abbr>.
Authentication is done by using X.509 client certificates which are signed
with the same Certificate Authority (<abbr>CA</abbr>) as the server certificate.
</p>
<p>The <abbr>CA</abbr> certificate is expected to be found in
<samp>~/.pwmd/ca-cert.pem</samp> while the <code>pwmd</code> server certificate and key
file should be put in <samp>~/.pwmd/server-cert.pem</samp> and
<samp>~/.pwmd/server-key.pem</samp>, respectively.
</p>
<p>See the documentation of <code>certtool</code> or <code>openssl</code> for details
on creating self-signed certificates.
</p>
<p>The following TLS configuration options are available:
</p>
<dl compact="compact">
<dt>&lsquo;<samp>enable_tcp = boolean</samp>&rsquo;</dt>
<dd><p>Whether to enable TCP/TLS server support. If enabled, both TCP and the local
unix domain socket will listen for connections. The default is
<code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_port = integer</samp>&rsquo;</dt>
<dd><p>The TCP port to listen on when <var>enable_tcp</var> is <code>true</code>. The default is
<code>6466</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_bind = string</samp>&rsquo;</dt>
<dd><p>The internet protocol to listen with. Must be one of <code>ipv4</code>, <code>ipv6</code>
or <code>any</code> to listen for both IPv4 and IPv6 connections.
</p>
</dd>
<dt>&lsquo;<samp>tcp_interface = string</samp>&rsquo;</dt>
<dd><p>Only useful if running as root.
</p>
</dd>
<dt>&lsquo;<samp>tls_timeout = seconds</samp>&rsquo;</dt>
<dd><p>The number of seconds to wait for a read() or write() call on a
<abbr>TLS</abbr> client file descriptor to complete before returning an
error. The default is <var>300</var>.
</p>
<p>Note that the <code>SAVE</code> command (see <a href="#SAVE">SAVE</a>) may take a longer time
to complete than other commands since key generation may need to be done
or do to a large <samp>--cipher-iterations</samp> setting.
</p>
</dd>
<dt>&lsquo;<samp>keepalive_interval = seconds</samp>&rsquo;</dt>
<dd><p>Send a keepalive status message to an idle remote client.  An idle
client is one who is not in a command. The purpose of this status
message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is <code>60</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_require_key = boolean</samp>&rsquo;</dt>
<dd><p>When <code>true</code>, require the remote client to provide the key or passphrase
to open a data file even if the file is cached. Note that the cache entry is
cleared during the see <a href="#OPEN">OPEN</a> command and the passphrase will be retrieved
from the client via a server <em>INQUIRE</em>. This option is a default
for all files when specified in the &lsquo;<samp>global</samp>&rsquo; section. The default
is <code>false</code>.
</p>
</dd>
<dt>&lsquo;<samp>tcp_wait = integer</samp>&rsquo;</dt>
<dd><p>The time in tenths of a second to wait between TCP connections.  Setting to 0
will disable waiting. The default is <code>3</code>.
</p>
</dd>
<dt>&lsquo;<samp>tls_cipher_suite = string</samp>&rsquo;</dt>
<dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
information about the format of this string. The default is <code>SECURE256</code>.
</p>
</dd>
<dt>&lsquo;<samp>tls_dh_level = string</samp>&rsquo;</dt>
<dd><p>The security level (bits) of the generated key exchange parameters. Possible
values are <code>low</code>, <code>medium</code> or <code>high</code>. The default is
<code>medium</code>.
</p></dd>
</dl>

<hr>
<a name="Pinentry"></a>
<div class="header">
<p>
Next: <a href="#Commands" accesskey="n" rel="next">Commands</a>, Previous: <a href="#TLS" accesskey="p" rel="prev">TLS</a>, Up: <a href="#Configuration" accesskey="u" rel="up">Configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Pinentry-configuration"></a>
<h2 class="chapter">6 Pinentry configuration</h2>

<p>The <code>pinentry</code> program is used to prompt the user for passphrase
input or as a confirmation dialog; it needs to know where to prompt for
the input, beit from a terminal or an X11 display.
</p>
<p>It is the responsibility of the client to tell <code>pinentry</code> about
the terminal or X11 display before requiring the input. This is done by
using the <code>pwmd</code> <code>OPTION</code> (see <a href="#OPTION">OPTION</a>) protocol command. It
need be done only once per client connection. To avoid the use of
<code>pinentry</code> entirely, use the <code>OPTION</code> (see <a href="#OPTION">OPTION</a>)
<samp>--disable-pinentry</samp> protocol command.
</p>
<hr>
<a name="Commands"></a>
<div class="header">
<p>
Next: <a href="#Status-Messages" accesskey="n" rel="next">Status Messages</a>, Previous: <a href="#Pinentry" accesskey="p" rel="prev">Pinentry</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Protocol-commands-and-their-syntax"></a>
<h2 class="chapter">7 Protocol commands and their syntax</h2>
<table class="menu" border="0" cellspacing="0">
<tr><td align="left" valign="top">&bull; <a href="#AGENT" accesskey="1">AGENT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#ATTR" accesskey="2">ATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#CACHETIMEOUT" accesskey="3">CACHETIMEOUT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#CLEARCACHE" accesskey="4">CLEARCACHE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#COPY" accesskey="5">COPY</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DELETE" accesskey="6">DELETE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#DUMP" accesskey="7">DUMP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GET" accesskey="8">GET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GETCONFIG" accesskey="9">GETCONFIG</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#GETINFO">GETINFO</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#HELP">HELP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#IMPORT">IMPORT</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#ISCACHED">ISCACHED</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#KEYGRIP">KEYGRIP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#KILL">KILL</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LIST">LIST</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LOCK">LOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#LS">LS</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#MOVE">MOVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#NOP">NOP</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#OPEN">OPEN</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#OPTION">OPTION</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#PASSWD">PASSWD</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#REALPATH">REALPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#RENAME">RENAME</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#RESET">RESET</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#SAVE">SAVE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#STORE">STORE</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#UNLOCK">UNLOCK</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#XPATH">XPATH</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
<tr><td align="left" valign="top">&bull; <a href="#XPATHATTR">XPATHATTR</a>:</td><td>&nbsp;&nbsp;</td><td align="left" valign="top">
</td></tr>
</table>
<hr>
<a name="AGENT"></a>
<div class="header">
<p>
Next: <a href="#ATTR" accesskey="n" rel="next">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="AGENT-command"></a>
<h2 class="chapter">8 AGENT command</h2>
<a name="index-AGENT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">AGENT &lt;command&gt;
</pre></div>

<p>Send a <code>gpg-agent</code> protocol <var>command</var> directly to the 
<code>gpg-agent</code>.
</p>

<hr>
<a name="ATTR"></a>
<div class="header">
<p>
Next: <a href="#CACHETIMEOUT" accesskey="n" rel="next">CACHETIMEOUT</a>, Previous: <a href="#AGENT" accesskey="p" rel="prev">AGENT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="ATTR-command"></a>
<h2 class="chapter">9 ATTR command</h2>
<a name="index-ATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">ATTR [--inquire] SET|GET|DELETE|LIST [&lt;attribute&gt;] [!]element[&lt;TAB&gt;[!]child[..]] ..
</pre></div>

<dl compact="compact">
<dt>ATTR SET attribute [!]element[&lt;TAB&gt;[!]child[..]] [value]</dt>
<dd>
<p>Stores or updates an <var>attribute</var> name and optional <var>value</var> of an 
element. When no <var>value</var> is specified any existing value will be removed.
</p>
</dd>
<dt>ATTR DELETE attribute [!]element[&lt;TAB&gt;[!]child[..]]</dt>
<dd>
<p>Removes an <var>attribute</var> from an element.
</p>
</dd>
<dt>ATTR LIST [!]element[&lt;TAB&gt;[!]child[..]]</dt>
<dd>
<p>Retrieves a newline separated list of attributes names and values 
from the specified element. Each attribute name and value is space delimited.
</p>
</dd>
<dt>ATTR GET attribute [!]element[&lt;TAB&gt;[!]child[..]]</dt>
<dd>
<p>Retrieves the value of an <var>attribute</var> from an element.
</p></dd>
</dl>

<p>The <code>_name</code> attribute (case sensitive) cannot be removed nor modified. 
Use the <code>DELETE</code> (see <a href="#DELETE">DELETE</a>) or <code>RENAME</code> (see <a href="#RENAME">RENAME</a>) 
commands instead.
</p>
<p>The <code>_mtime</code> attribute is updated each time an element is modified by 
either storing content, editing attributes or by deleting a child element. 
The <code>_ctime</code> attribute is created for each new element in an element 
path.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>
<p>See <a href="#Target-Attribute">Target Attribute</a>, for details about this special attribute.
</p>

<hr>
<a name="CACHETIMEOUT"></a>
<div class="header">
<p>
Next: <a href="#CLEARCACHE" accesskey="n" rel="next">CLEARCACHE</a>, Previous: <a href="#ATTR" accesskey="p" rel="prev">ATTR</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="CACHETIMEOUT-command"></a>
<h2 class="chapter">10 CACHETIMEOUT command</h2>
<a name="index-CACHETIMEOUT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">CACHETIMEOUT &lt;filename&gt; &lt;seconds&gt;
</pre></div>

<p>The time in <var>seconds</var> until <var>filename</var> will be removed from the 
cache. <code>-1</code> will keep the cache entry forever, <code>0</code> will require 
the passphrase for each <code>OPEN</code> or <code>SAVE</code> command (see <a href="#OPEN">OPEN</a>, 
see <a href="#SAVE">SAVE</a>). See <a href="#Configuration">Configuration</a>, and the <code>cache_timeout</code> 
parameter.
</p>

<hr>
<a name="CLEARCACHE"></a>
<div class="header">
<p>
Next: <a href="#COPY" accesskey="n" rel="next">COPY</a>, Previous: <a href="#CACHETIMEOUT" accesskey="p" rel="prev">CACHETIMEOUT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="CLEARCACHE-command"></a>
<h2 class="chapter">11 CLEARCACHE command</h2>
<a name="index-CLEARCACHE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">CLEARCACHE [&lt;filename&gt;]
</pre></div>

<p>Clears a file cache entry for all or the specified <var>filename</var>.
</p>

<hr>
<a name="COPY"></a>
<div class="header">
<p>
Next: <a href="#DELETE" accesskey="n" rel="next">DELETE</a>, Previous: <a href="#CLEARCACHE" accesskey="p" rel="prev">CLEARCACHE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="COPY-command"></a>
<h2 class="chapter">12 COPY command</h2>
<a name="index-COPY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">COPY [--inquire] [!]source[&lt;TAB&gt;[!]child[..]] [!]dest[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Copies the entire element tree starting from the child node of the source 
element, to the destination element path. If the destination element path 
does not exist then it will be created; otherwise it is overwritten.
</p>
<p>Note that attributes from the source element are merged into the 
destination element when the destination element path exists. When an 
attribute of the same name exists in both the source and destination 
elements then the destination attribute will be updated to the source 
attribute value.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="DELETE"></a>
<div class="header">
<p>
Next: <a href="#DUMP" accesskey="n" rel="next">DUMP</a>, Previous: <a href="#COPY" accesskey="p" rel="prev">COPY</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="DELETE-command"></a>
<h2 class="chapter">13 DELETE command</h2>
<a name="index-DELETE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DELETE [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Removes the specified element path and all of its children. This may break 
an element with a <code>target</code> attribute (see <a href="#Target-Attribute">Target Attribute</a>) that 
refers to this element or any of its children.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="DUMP"></a>
<div class="header">
<p>
Next: <a href="#GET" accesskey="n" rel="next">GET</a>, Previous: <a href="#DELETE" accesskey="p" rel="prev">DELETE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="DUMP-command"></a>
<h2 class="chapter">14 DUMP command</h2>
<a name="index-DUMP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">DUMP
</pre></div>

<p>Shows the in memory <abbr>XML</abbr> document with indenting. See <a href="#XPATH">XPATH</a>, for 
dumping a specific node.
</p>

<hr>
<a name="GET"></a>
<div class="header">
<p>
Next: <a href="#GETCONFIG" accesskey="n" rel="next">GETCONFIG</a>, Previous: <a href="#DUMP" accesskey="p" rel="prev">DUMP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="GET-command"></a>
<h2 class="chapter">15 GET command</h2>
<a name="index-GET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GET [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Retrieves the content of the specified element. The content is returned 
with a data response.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="GETCONFIG"></a>
<div class="header">
<p>
Next: <a href="#GETINFO" accesskey="n" rel="next">GETINFO</a>, Previous: <a href="#GET" accesskey="p" rel="prev">GET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="GETCONFIG-command"></a>
<h2 class="chapter">16 GETCONFIG command</h2>
<a name="index-GETCONFIG-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GETCONFIG [filename] &lt;parameter&gt;
</pre></div>

<p>Returns the value of a <code>pwmd</code> configuration <var>parameter</var> with a 
data response. If no file has been opened then the value for <var>filename</var> 
or the default from the &lsquo;<samp>global</samp>&rsquo; section will be returned. If a file 
has been opened and no <var>filename</var> is specified, a value previously 
set with the <code>OPTION</code> command (see <a href="#OPTION">OPTION</a>) will be returned.
</p>

<hr>
<a name="GETINFO"></a>
<div class="header">
<p>
Next: <a href="#HELP" accesskey="n" rel="next">HELP</a>, Previous: <a href="#GETCONFIG" accesskey="p" rel="prev">GETCONFIG</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="GETINFO-command"></a>
<h2 class="chapter">17 GETINFO command</h2>
<a name="index-GETINFO-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">GETINFO [--data] [--verbose] CACHE | CLIENTS | PID | USER | LAST_ERROR | VERSION
</pre></div>

<p>Get server and other information: <var>CACHE</var> returns the number of cached 
documents via a status message. <var>CLIENTS</var> returns the number of 
connected clients via a status message or a list of connected clients when 
the <samp>--verbose</samp> parameter is used. The list contains space delimited 
fields: the thread ID, client name, opened file (<code>/</code> if none opened), 
file lock status, whether the current client is self, client state, 
user ID or TLS fingerprint of the connected client and username if the 
client is a local one. 
Client state <code>0</code> is an unknown client state, <code>1</code> indicates the 
client has connected but hasn&rsquo;t completed initializing, <code>2</code> indicates 
that the client is idle, <code>3</code> means the 
client is in a command and <code>4</code> means the client is disconnecting. This 
line is always returned with a data response. <var>PID</var> returns the process 
ID number of the server via a data response. <var>VERSION</var> returns the server 
version number and compile-time features with a data response with each 
being space delimited. <var>LAST_ERROR</var> returns a detailed description of 
the last failed command when available. <var>USER</var> returns the username or 
<abbr>TLS</abbr> hash of the connected client. See <a href="#Status-Messages">Status Messages</a>. 
</p>
<p>When the <samp>--data</samp> option is specified then the result will be sent 
via a data response rather than a status message.
</p>

<hr>
<a name="HELP"></a>
<div class="header">
<p>
Next: <a href="#IMPORT" accesskey="n" rel="next">IMPORT</a>, Previous: <a href="#GETINFO" accesskey="p" rel="prev">GETINFO</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="HELP-command"></a>
<h2 class="chapter">18 HELP command</h2>
<a name="index-HELP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">HELP [&lt;COMMAND&gt;]
</pre></div>

<p>Show available commands or command specific help text.
</p>

<hr>
<a name="IMPORT"></a>
<div class="header">
<p>
Next: <a href="#ISCACHED" accesskey="n" rel="next">ISCACHED</a>, Previous: <a href="#HELP" accesskey="p" rel="prev">HELP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="IMPORT-command"></a>
<h2 class="chapter">19 IMPORT command</h2>
<a name="index-IMPORT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">IMPORT [--root=[!]element[&lt;TAB&gt;[!]child[..]]] &lt;content&gt;
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
</p>
<p>Like the <code>STORE</code> command (see <a href="#STORE">STORE</a>), but the <var>content</var> 
argument is raw <abbr>XML</abbr> data. The content is created as a child of 
the element path specified with the <samp>--root</samp> option or at the 
document root when not specified. Existing elements of the same name will 
be overwritten.
</p>
<p>The content must begin with an <abbr>XML</abbr> element node. See <a href="#Introduction">Introduction</a>, 
for details.
</p>

<hr>
<a name="ISCACHED"></a>
<div class="header">
<p>
Next: <a href="#KEYGRIP" accesskey="n" rel="next">KEYGRIP</a>, Previous: <a href="#IMPORT" accesskey="p" rel="prev">IMPORT</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="ISCACHED-command"></a>
<h2 class="chapter">20 ISCACHED command</h2>
<a name="index-ISCACHED-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">ISCACHED [--lock] &lt;filename&gt;
</pre></div>

<p>An <em>OK</em> response is returned if the specified <var>filename</var> is found 
in the file cache. If not found in the cache but exists on the filesystem 
then <var>GPG_ERR_NO_DATA</var> is returned. Otherwise a filesystem error is 
returned.
</p>
<p>The <samp>lock</samp> option will lock the file mutex of <var>filename</var> when the 
file exists; it does not need to be opened nor cached. The lock will be 
released when the client exits or sends the <code>UNLOCK</code> (see <a href="#UNLOCK">UNLOCK</a>) 
command.
</p>

<hr>
<a name="KEYGRIP"></a>
<div class="header">
<p>
Next: <a href="#KILL" accesskey="n" rel="next">KILL</a>, Previous: <a href="#ISCACHED" accesskey="p" rel="prev">ISCACHED</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="KEYGRIP-command"></a>
<h2 class="chapter">21 KEYGRIP command</h2>
<a name="index-KEYGRIP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">KEYGRIP [--sign] &lt;filename&gt;
</pre></div>

<p>Returns the hex encoded keygrip of the specified <var>filename</var> with a 
data response.
</p>
<p>When the <samp>--sign</samp> option is specified then the key used for signing 
of the specified <var>filename</var> will be returned.
</p>
<p>For symmetrically encrypted data files this command returns the error 
GPG_ERR_NOT_SUPPORTED.
</p>

<hr>
<a name="KILL"></a>
<div class="header">
<p>
Next: <a href="#LIST" accesskey="n" rel="next">LIST</a>, Previous: <a href="#KEYGRIP" accesskey="p" rel="prev">KEYGRIP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="KILL-command"></a>
<h2 class="chapter">22 KILL command</h2>
<a name="index-KILL-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">KILL &lt;thread_id&gt;
</pre></div>

<p>Terminates the client identified by <var>thread_id</var> and releases any file 
lock or other resources it has held. See <code>GETINFO</code> (see <a href="#GETINFO">GETINFO</a>) 
for details about listing connected clients. The <code>invoking_user</code> 
(see <a href="#Configuration">Configuration</a>) may kill any client while others may only kill 
clients of the same <code>UID</code> or <abbr>TLS</abbr> fingerprint.
</p>

<hr>
<a name="LIST"></a>
<div class="header">
<p>
Next: <a href="#LOCK" accesskey="n" rel="next">LOCK</a>, Previous: <a href="#KILL" accesskey="p" rel="prev">KILL</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="LIST-command"></a>
<h2 class="chapter">23 LIST command</h2>
<a name="index-LIST-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LIST [--inquire] [--no-recurse] [--verbose] [--with-target] [--all] [[!]element[&lt;TAB&gt;[!]child[..]]]
</pre></div>

<p>If no element path is given then a newline separated list of root elements 
is returned with a data response. If given, then all reachable elements 
of the specified element path are returned unless the <samp>--no-recurse</samp> 
option is specified. If specified, only the child elements of the element 
path are returned without recursing into grandchildren. Each resulting 
element is prefixed with the literal <code>!</code> character when the element 
contains no <code>target</code> attribute. See <a href="#Target-Attribute">Target Attribute</a>, for details.
</p>
<p>When the <samp>--verbose</samp> option is passed then each element path 
returned will have zero or more flags appened to it. These flags are 
delimited from the element path by a single space character. A flag itself 
is a single character. Flag <code>P</code> indicates that access to the element 
is denied. Flag <code>+</code> indicates that there are child nodes of 
the current element path. Flag <code>E</code> indicates that an element of an 
element path contained in a <var>target</var> attribute could not be found. Flag 
<code>O</code> indicates that a <var>target</var> attribute recursion limit was reached 
(see <a href="#Configuration">Configuration</a>). Flag <code>T</code> will append the resolved element path 
of the <var>target</var> attribute contained in the current element (see below).
</p>
<p>The <samp>--with-target</samp> option implies <samp>--verbose</samp> and will append 
an additional flag <code>T</code> followed by a single space then an element path. 
The appended element path is the resolved path (see <a href="#REALPATH">REALPATH</a>) of the 
current element when it contains a <var>target</var> attribute. When no 
<var>target</var> attribute is found then no flag will be appended.
</p>
<p>The <samp>--no-recurse</samp> option limits the amount of data returned to only 
the listing of children of the specified element path and not any 
grandchildren.
</p>
<p>The <samp>--all</samp> option lists the entire element tree for each root 
element. This option also implies option <samp>--verbose</samp>.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="LOCK"></a>
<div class="header">
<p>
Next: <a href="#LS" accesskey="n" rel="next">LS</a>, Previous: <a href="#LIST" accesskey="p" rel="prev">LIST</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="LOCK-command"></a>
<h2 class="chapter">24 LOCK command</h2>
<a name="index-LOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LOCK
</pre></div>

<p>Locks the mutex associated with the opened file. This prevents other clients 
from sending commands to the same opened file until the client 
that sent this command either disconnects or sends the <code>UNLOCK</code> 
command. See <a href="#UNLOCK">UNLOCK</a>.
</p>

<hr>
<a name="LS"></a>
<div class="header">
<p>
Next: <a href="#MOVE" accesskey="n" rel="next">MOVE</a>, Previous: <a href="#LOCK" accesskey="p" rel="prev">LOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="LS-command"></a>
<h2 class="chapter">25 LS command</h2>
<a name="index-LS-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">LS
</pre></div>

<p>Lists the available data files stored in the data directory 
(<samp>~/.pwmd/data</samp>). The result is a newline separated list of filenames.
</p>

<hr>
<a name="MOVE"></a>
<div class="header">
<p>
Next: <a href="#NOP" accesskey="n" rel="next">NOP</a>, Previous: <a href="#LS" accesskey="p" rel="prev">LS</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="MOVE-command"></a>
<h2 class="chapter">26 MOVE command</h2>
<a name="index-MOVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">MOVE [--inquire] [!]source[&lt;TAB&gt;[!]child[..]] [[!]dest[&lt;TAB&gt;[!]child[..]]]
</pre></div>

<p>Moves the source element path to the destination element path. If the 
destination is not specified then it will be moved to the root node of the 
document. If the destination is specified and exists then it will be 
overwritten; otherwise non-existing elements of the destination element 
path will be created.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="NOP"></a>
<div class="header">
<p>
Next: <a href="#OPEN" accesskey="n" rel="next">OPEN</a>, Previous: <a href="#MOVE" accesskey="p" rel="prev">MOVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="NOP-command"></a>
<h2 class="chapter">27 NOP command</h2>
<a name="index-NOP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">NOP
</pre></div>

<p>Does nothing. Always returns successfully.
</p>

<hr>
<a name="OPEN"></a>
<div class="header">
<p>
Next: <a href="#OPTION" accesskey="n" rel="next">OPTION</a>, Previous: <a href="#NOP" accesskey="p" rel="prev">NOP</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="OPEN-command"></a>
<h2 class="chapter">28 OPEN command</h2>
<a name="index-OPEN-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">OPEN [--lock] &lt;filename&gt; [&lt;passphrase&gt;]
</pre></div>

<p>Opens <var>filename</var> using <var>passphrase</var>. When the filename is not 
found on the file-system  then a new document will be created. If the file 
is found, it is looked for in the file cache. If cached and no 
<var>passphrase</var> was specified then the cached document is opened. When not 
cached, <cite>pinentry(1)</cite> will be used to retrieve the passphrase to use 
for decryption unless <samp>disable-pinentry</samp> (see <a href="#OPTION">OPTION</a>) was 
specified.
</p>
<p>When the <samp>--lock</samp> option is passed then the file mutex will be 
locked as if the <code>LOCK</code> command (see <a href="#LOCK">LOCK</a>) had been sent after the 
file has been opened.
</p>

<hr>
<a name="OPTION"></a>
<div class="header">
<p>
Next: <a href="#PASSWD" accesskey="n" rel="next">PASSWD</a>, Previous: <a href="#OPEN" accesskey="p" rel="prev">OPEN</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="OPTION-command"></a>
<h2 class="chapter">29 OPTION command</h2>
<a name="index-OPTION-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">OPTION &lt;NAME&gt;=&lt;VALUE&gt;
</pre></div>

<p>Sets a client option <var>name</var> to <var>value</var>. The value for an option is 
kept for the duration of the connection.
</p>
<dl compact="compact">
<dt>DISABLE-PINENTRY</dt>
<dd><p>Disable use of <code>pinentry</code> for passphrase retrieval. When set, a 
server inquire is sent to the client to obtain the passphrase. This option 
may be set as needed before the <code>OPEN</code> (see <a href="#OPEN">OPEN</a>), <code>PASSWD</code> 
(see <a href="#PASSWD">PASSWD</a>) and <code>SAVE</code> (see <a href="#SAVE">SAVE</a>) commands.
</p>
</dd>
<dt>PINENTRY-TIMEOUT</dt>
<dd><p>Sets the number of seconds before a pinentry prompt will return an error 
while waiting for user input.
</p>
</dd>
<dt>TTYNAME</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>TTYTYPE</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>DISPLAY</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>PINENTRY-DESC</dt>
<dd><p>Sets the description string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
</p>
</dd>
<dt>PINENTRY-TITLE</dt>
<dd><p>Sets the title string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
</p>
</dd>
<dt>PINENTRY-PROMPT</dt>
<dd><p>Sets the prompt string of the <code>gpg-agent</code> and <code>pinentry</code> dialog.
</p>
</dd>
<dt>LC-CTYPE</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>LC-MESSAGES</dt>
<dd><p>Passed to the <code>gpg-agent</code> and used for the <code>pinentry</code> dialog.
</p>
</dd>
<dt>NAME</dt>
<dd><p>Associates the thread ID of the connection with the specified textual 
representation. Useful for debugging log messages. May not contain whitespace.
</p>
</dd>
<dt>LOCK-TIMEOUT</dt>
<dd><p>When not <code>0</code>, the duration in tenths of a second to wait for the file 
mutex which has been locked by another thread to be released before returning 
an error. When <code>-1</code>, then an error will be returned immediately.
</p>
</dd>
<dt>LOG-LEVEL</dt>
<dd><p>An integer specifiying the logging level.
</p></dd>
</dl>


<hr>
<a name="PASSWD"></a>
<div class="header">
<p>
Next: <a href="#REALPATH" accesskey="n" rel="next">REALPATH</a>, Previous: <a href="#OPTION" accesskey="p" rel="prev">OPTION</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="PASSWD-command"></a>
<h2 class="chapter">30 PASSWD command</h2>
<a name="index-PASSWD-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">PASSWD [--reset] [--s2k-count=N] [--no-passphrase]
</pre></div>

<p>Changes the passphrase of the secret key required to open the current 
file or the passphrase of a symmetrically encrypted data file. When the 
<samp>--reset</samp> option is passed then the cache entry for the current 
file will be reset and the passphrase, if any, will be required during the 
next <code>OPEN</code> (see <a href="#OPEN">OPEN</a>).
</p>
<p>The <samp>--s2k-count</samp> option sets or changes (see <a href="#SAVE">SAVE</a>) the number 
of hash iterations for a passphrase and must be either <code>0</code> to use 
the calibrated count of the machine (the default), or a value greater than 
or equal to <code>65536</code>. This option has no effect for symmetrically 
encrypted data files.
</p>
<p>The <samp>--no-passphrase</samp> option will prevent requiring a passphrase for 
the data file, although a passphrase may be required when changing it.
</p>
<p>This command is not available for non-invoking clients 
(see <a href="#Access-Control">Access Control</a>).
</p>

<hr>
<a name="REALPATH"></a>
<div class="header">
<p>
Next: <a href="#RENAME" accesskey="n" rel="next">RENAME</a>, Previous: <a href="#PASSWD" accesskey="p" rel="prev">PASSWD</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="REALPATH-command"></a>
<h2 class="chapter">31 REALPATH command</h2>
<a name="index-REALPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">REALPATH [--inquire] [!]element[&lt;TAB&gt;[!]child[..]]
</pre></div>

<p>Resolves all <code>target</code> attributes of the specified element path and 
returns the result with a data response. See <a href="#Target-Attribute">Target Attribute</a>, for details.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="RENAME"></a>
<div class="header">
<p>
Next: <a href="#RESET" accesskey="n" rel="next">RESET</a>, Previous: <a href="#REALPATH" accesskey="p" rel="prev">REALPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="RENAME-command"></a>
<h2 class="chapter">32 RENAME command</h2>
<a name="index-RENAME-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">RENAME [--inquire] [!]element[&lt;TAB&gt;[!]child[..]] &lt;value&gt;
</pre></div>

<p>Renames the specified <var>element</var> to the new <var>value</var>. If an element of 
the same name as the <var>value</var> already exists it will be overwritten.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
<a name="RESET"></a>
<div class="header">
<p>
Next: <a href="#SAVE" accesskey="n" rel="next">SAVE</a>, Previous: <a href="#RENAME" accesskey="p" rel="prev">RENAME</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="RESET-command"></a>
<h2 class="chapter">33 RESET command</h2>
<a name="index-RESET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">RESET
</pre></div>

<p>Closes the currently opened file but keeps any previously set client options.
</p>

<hr>
<a name="SAVE"></a>
<div class="header">
<p>
Next: <a href="#STORE" accesskey="n" rel="next">STORE</a>, Previous: <a href="#RESET" accesskey="p" rel="prev">RESET</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="SAVE-command"></a>
<h2 class="chapter">34 SAVE command</h2>
<a name="index-SAVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">SAVE [--no-passphrase] [--reset] [--ask] [--no-agent] [--s2k-count=N] [--cipher=&lt;algo&gt;] [--cipher-iterations=N] [--inquire-keyparam] [--keygrip=hexstring] [--sign-keygrip=hexstring]
</pre></div>

<p>Writes the <abbr>XML</abbr> document to disk. The file written to is the file that 
was opened using the <code>OPEN</code> command (see <a href="#OPEN">OPEN</a>). If the file is a 
new one or the option <samp>--inquire-keyparam</samp> was passed, then a new 
keypair will be generated and a pinentry will be used to prompt for the 
passphrase to encrypt with unless the <samp>--no-passphrase</samp> option was 
passed in which case the data file will not be passphrase protected. 
</p>
<p>The <samp>--no-agent</samp> option disables use of <code>gpg-agent</code> for 
passphrase retrieval and caching of new files when <code>gpg-agent</code> 
use is enabled. The datafile will be symmetrically encrypted and will not 
use or generate any keypair.
</p>
<p>The <samp>--reset</samp> option will clear the cache entry for the current file 
and require a passphrase, if needed, before saving.
</p>
<p>The <samp>--ask</samp> option will prompt for the passphrase of the current file, 
if needed, before saving. This differs from the <samp>--reset</samp> option by 
keeping the cache entry in case of an invalid passphrase or some other failure 
which may otherwise cause a denial of service for other clients.
</p>
<p>The <samp>--cipher</samp> option can be used to encrypt the <abbr>XML</abbr> data to 
an alternate cipher. The default is <code>aes256</code>. See the Configuration 
(see <a href="#Configuration">Configuration</a>) for available ciphers.
</p>
<p>The <samp>--cipher-iterations</samp> option specifies the number of times to 
hash the passphrase before encrypting the XML data. The default is 
<code>5000000</code>. This option is an alias for <samp>--s2k-count</samp> since 
version <var>3.0.15</var> of <code>pwmd</code>.
</p>
<p>The <samp>--inquire-keyparam</samp> option will send a server <em>INQUIRE</em> to 
the client to obtain the key paramaters to use when generating a new 
keypair. The inquired data is expected to be an S-expression. If not 
specified then an &lsquo;<samp>RSA</samp>&rsquo; key of &lsquo;<samp>2048</samp>&rsquo; bits will be generated 
unless otherwise set in the configuration file (see <a href="#Configuration">Configuration</a>). Note 
that when this option is specified a new keypair will be generated 
reguardless if the file is a new one and that if the data file is protected 
the passphrase to open it will be required before generating the new 
keypair. This option is not available for non-invoking clients 
(see <a href="#Access-Control">Access Control</a>).
</p>
<p>You can encrypt the data file to a public key other than the one that it 
was originally encrypted with by passing the <samp>--keygrip</samp> option with 
the hex encoded keygrip of the public key as its argument. The keygrip may 
be of any key that <code>gpg-agent</code> knows about. The 
<samp>--sign-keygrip</samp> option may also be used to sign with an alternate 
secret key. Use the <code>KEYGRIP</code> (see <a href="#KEYGRIP">KEYGRIP</a>) command to obtain the 
keygrip of an existing data file. This option may be needed when using a 
smartcard. This option has no effect with symmetrically encrypted data 
files. These options are not available for non-invoking clients 
(see <a href="#Access-Control">Access Control</a>).
</p>
<p>The <samp>--s2k-count</samp> option sets number of hash iterations for a 
passphrase. A value less-than <code>65536</code> will use the machine calibrated 
value and is the default when using <code>gpg-agent</code>. This setting only 
affects new files when using <code>gpg-agent</code>. To change the setting use 
the <code>PASSWD</code> command (see <a href="#PASSWD">PASSWD</a>). This option is an alias for 
option <samp>--cipher-iterations</samp> when not using <code>gpg-agent</code>.
</p>

<hr>
<a name="STORE"></a>
<div class="header">
<p>
Next: <a href="#UNLOCK" accesskey="n" rel="next">UNLOCK</a>, Previous: <a href="#SAVE" accesskey="p" rel="prev">SAVE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="STORE-command"></a>
<h2 class="chapter">35 STORE command</h2>
<a name="index-STORE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">STORE [!]element[&lt;TAB&gt;[!]child[..]]&lt;TAB&gt;[content]
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
</p>
<p>Creates a new element path or modifies the <var>content</var> of an existing 
element. If only a single element is specified then a new root element is 
created. Otherwise, elements are <tt class="key">TAB</tt> delimited and the content will be 
set to the final <tt class="key">TAB</tt> delimited element. If no <var>content</var> is 
specified after the final <tt class="key">TAB</tt>, then the content of an existing 
element will be removed; or empty when creating a new element.
</p>
<p>The only restriction of an element name is that it not contain whitespace 
or begin with the literal element character <code>!</code> unless specifying a 
literal element (see <a href="#Target-Attribute">Target Attribute</a>). There is no whitespace between 
the <tt class="key">TAB</tt> delimited elements. It is recommended that the content of an 
element be base64 encoded when it contains control or <tt class="key">TAB</tt> characters 
to prevent <abbr>XML</abbr> parsing and <code>pwmd</code> syntax errors.
</p>

<hr>
<a name="UNLOCK"></a>
<div class="header">
<p>
Next: <a href="#XPATH" accesskey="n" rel="next">XPATH</a>, Previous: <a href="#STORE" accesskey="p" rel="prev">STORE</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="UNLOCK-command"></a>
<h2 class="chapter">36 UNLOCK command</h2>
<a name="index-UNLOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">UNLOCK
</pre></div>

<p>Unlocks the file mutex which was locked with the <code>LOCK</code> command or 
a commands&rsquo; <samp>--lock</samp> option (see <a href="#LOCK">LOCK</a>, see <a href="#OPEN">OPEN</a>, 
see <a href="#ISCACHED">ISCACHED</a>).
</p>

<hr>
<a name="XPATH"></a>
<div class="header">
<p>
Next: <a href="#XPATHATTR" accesskey="n" rel="next">XPATHATTR</a>, Previous: <a href="#UNLOCK" accesskey="p" rel="prev">UNLOCK</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="XPATH-command"></a>
<h2 class="chapter">37 XPATH command</h2>
<a name="index-XPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATH [--inquire] &lt;expression&gt;[&lt;TAB&gt;[value]]
</pre></div>

<p>Evaluates an XPath <var>expression</var>. If no <var>value</var> argument is 
specified it is assumed the expression is a request to return a result. 
Otherwise, the result is set to the <var>value</var> argument and the document is 
updated. If there is no <var>value</var> after the <tt class="key">TAB</tt> character, the value 
is assumed to be empty and the document is updated. For example:
</p><br>
<div class="example">
<pre class="example">XPATH //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would clear the content of all <code>password</code> elements in the data file 
while leaving off the trailing <tt class="key">TAB</tt> would return all <code>password</code> 
elements in <abbr>XML</abbr> format.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>
<p>See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>

<hr>
<a name="XPATHATTR"></a>
<div class="header">
<p>
Previous: <a href="#XPATH" accesskey="p" rel="prev">XPATH</a>, Up: <a href="#Commands" accesskey="u" rel="up">Commands</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="XPATHATTR-command"></a>
<h2 class="chapter">38 XPATHATTR command</h2>
<a name="index-XPATHATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATHATTR [--inquire] SET|DELETE &lt;name&gt; &lt;expression&gt;[&lt;TAB&gt;[&lt;value&gt;]]
</pre></div>

<p>Like the <code>XPATH</code> command (see <a href="#XPATH">XPATH</a>) but operates on element 
attributes and does not return a result. For the <var>SET</var> operation the 
<var>value</var> is optional but the field is required. If not specified then 
the attribute value will be empty. For example:
</p><br>
<div class="example">
<pre class="example">XPATHATTR SET password //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would create an <code>password</code> attribute for each <code>password</code> element 
found in the document. The attribute value will be empty but still exist.
</p>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>
<p>See <a href="http://www.w3schools.com/xpath/xpath_syntax.asp">http://www.w3schools.com/xpath/xpath_syntax.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>


<hr>
<a name="Status-Messages"></a>
<div class="header">
<p>
Next: <a href="#Target-Attribute" accesskey="n" rel="next">Target Attribute</a>, Previous: <a href="#Commands" accesskey="p" rel="prev">Commands</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Status-messages-and-their-meanings"></a>
<h2 class="chapter">39 Status messages and their meanings</h2>
<p>Some commands send status messages to inform the client about certain
operations or as a progress indicator.  Status messages begin with a
<code>KEYWORD</code> followed by a status description for status messages that
require it. What status messages are sent, when, and how often may depend on
configuration settings (see <a href="#Configuration">Configuration</a>). A status message sent from
<code>gpg-agent</code> (See <a href="http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html#Invoking-GPG_002dAGENT">(gnupg)Invoking GPG-AGENT</a>) is also forwarded to
the client.
</p>
<table>
<thead><tr><th width="20%">Message</th><th width="25%">Parameters</th><th width="55%">Description</th></tr></thead>
<tr><td width="20%">CACHE
<a name="index-CACHE"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of cached documents. Sent to each client after connecting
(see <a href="#GETINFO">GETINFO</a>) and after every cache modification.</td></tr>
<tr><td width="20%">CLIENTS
<a name="index-CLIENTS"></a></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of connected clients (see <a href="#GETINFO">GETINFO</a>). Sent to each client
when another client either connects or disconnects.</td></tr>
<tr><td width="20%">DECRYPT
<a name="index-DECRYPT"></a></td><td width="25%"><code>&lt;current&gt;</code> <code>&lt;total&gt;</code></td><td width="55%">Sent to the current client during a decrypt operation.</td></tr>
<tr><td width="20%">ENCRYPT
<a name="index-ENCRYPT"></a></td><td width="25%"><code>&lt;current&gt;</code> <code>&lt;total&gt;</code></td><td width="55%">Sent to the current client during an  encrypt operation.</td></tr>
<tr><td width="20%">GENKEY
<a name="index-GENKEY"></a></td><td width="25%"></td><td width="55%">Sent once to the current client just before generating a new key-pair.</td></tr>
<tr><td width="20%">INQUIRE_MAXLEN
<a name="index-INQUIRE_005fMAXLEN"></a></td><td width="25%"><code>&lt;bytes&gt;</code></td><td width="55%">Sent to the client from <code>gpg-agent</code> when inquiring data. This
specifies the maximum number of bytes allowed for the client to send and
should not be exceeded.</td></tr>
<tr><td width="20%">KEEPALIVE
<a name="index-KEEPALIVE"></a></td><td width="25%"></td><td width="55%">Sent to each idle client every <var>keepalive_interval</var>
(see <a href="#Configuration">Configuration</a>) seconds.</td></tr>
<tr><td width="20%">LOCKED
<a name="index-LOCKED"></a></td><td width="25%"></td><td width="55%">Sent to the current client when another client is holding the lock for
the mutex associated with a file.</td></tr>
<tr><td width="20%">NEWFILE
<a name="index-NEWFILE"></a></td><td width="25%"></td><td width="55%">Sent to the current client when the opened (see <a href="#OPEN">OPEN</a>) file does not
exist on the file-system.</td></tr>
<tr><td width="20%">XFER
<a name="index-XFER"></a></td><td width="25%"><code>&lt;sent&gt; &lt;total&gt;</code></td><td width="55%">Sent to the current client when transferring data. It has two space
delimited arguments. The first being the current amount of bytes transferred
and the other being the total bytes to be transferred.</td></tr>
<tr><td width="20%">STATE
<a name="index-STATE"></a></td><td width="25%"><code>&lt;client_id&gt; &lt;state&gt;</code></td><td width="55%">Sent to all connected clients to indicate that <var>client_id</var> has
changed to <var>state</var> (see <a href="#GETINFO">GETINFO</a> to describe the available client
states).</td></tr>
</table>

<hr>
<a name="Target-Attribute"></a>
<div class="header">
<p>
Next: <a href="#Signals" accesskey="n" rel="next">Signals</a>, Previous: <a href="#Status-Messages" accesskey="p" rel="prev">Status Messages</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="The-target-attribute"></a>
<h2 class="chapter">40 The <code>target</code> attribute</h2>
<a name="index-target-attribute"></a>
<p>A <em>case sensitive</em> attribute named <code>target</code> is treated specially
when found in each element of an element path. This attribute, like other
element attributes, is created or modified with the <code>ATTR</code> command
(see <a href="#ATTR">ATTR</a>). The value of this attribute is an existing element path
somewhere in the document.  If you are familiar with <abbr>XML</abbr> entities or
maybe the <abbr>HTML</abbr> <code>id</code> or <code>target</code> attributes or a symbolic link
in a file-system, you may find this attribute behaves similar to any of those.
</p>
<p>To create a <code>target</code> attribute use the following syntax:
</p>
<div class="example">
<pre class="example">ATTR SET target [!]element[<span class="key">TAB</span>[!]child[..]] [!]element[<span class="key">TAB</span>[!]child[..]]
</pre></div>

<p>Note the single space between the two element paths. The first element path is
where the <code>target</code> attribute will be created. If the element path does
not exist then it will be created.  This is the only time the <code>ATTR</code>
(see <a href="#ATTR">ATTR</a>) command will create elements. The attribute is created in the
final element of the first element path.
</p>
<p>The second element path is the destination of where you want the first element
path to resolve to. When an element path is passed as an argument to a
protocol command <code>pwmd</code> looks for a <code>target</code> attribute when
resolving each element and, if found, &quot;jumps&quot; to the attribute value and
continues resolving any remaining elements.  When you want to avoid the
<code>target</code> attribute for any element of an element path then prefix the
element with the literal element character &lsquo;<samp>!</samp>&rsquo;.
</p>
<p>When an element of a element path is removed that a <code>target</code> attribute
resolves to then an error will occur when trying to access that element. You
may need to either update the <code>target</code> attribute value with a new element
path or remove the attribute entirely. Remember that since the element
contains the <code>target</code> attribute it will need to be prefixed with the
literal element character &lsquo;<samp>!</samp>&rsquo; when specifying the element path to prevent
<code>pwmd</code> from trying to resolve the <code>target</code> attribute. For
example, to remove a <code>target</code> attribute for an element containing it:
</p>
<div class="example">
<pre class="example">ATTR DELETE target path<span class="key">TAB</span>to<span class="key">TAB</span>!element
</pre></div>

<p>Clients should be careful of creating <code>target</code> loops, or targets that
resolve to themselves. See the <var>recursion_depth</var> (see <a href="#Configuration">Configuration</a>)
configuration parameter for details.
</p>
<p>The <code>REALPATH</code> command (see <a href="#REALPATH">REALPATH</a>) can be used to show the element
path after resolving all <code>target</code> attributes.
</p>

<hr>
<a name="Signals"></a>
<div class="header">
<p>
Next: <a href="#Concept-Index" accesskey="n" rel="next">Concept Index</a>, Previous: <a href="#Target-Attribute" accesskey="p" rel="prev">Target Attribute</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Recognized-signals"></a>
<h2 class="chapter">41 Recognized signals</h2>

<p>Sending the <em>SIGHUP</em> signal to a <code>pwmd</code> process will reload the
configuration file and sending <em>SIGUSR1</em> will clear the entire file
cache.
</p>


<hr>
<a name="Concept-Index"></a>
<div class="header">
<p>
Previous: <a href="#Signals" accesskey="p" rel="prev">Signals</a>, Up: <a href="#Top" accesskey="u" rel="up">Top</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>]</p>
</div>
<a name="Concept-Index-1"></a>
<h2 class="unnumbered">Concept Index</h2>


<a name="SEC_Overview"></a>
<h2 class="shortcontents-heading">Short Table of Contents</h2>

<div class="shortcontents">
<ul class="no-bullet">
<li><a name="stoc-Overview-of-pwmd" href="#toc-Overview-of-pwmd">1 Overview of <code>pwmd</code></a></li>
<li><a name="stoc-Access-Control-1" href="#toc-Access-Control-1">2 Access Control</a></li>
<li><a name="stoc-Invoking-pwmd" href="#toc-Invoking-pwmd">3 Invoking <code>pwmd</code></a></li>
<li><a name="stoc-pwmd-configuration-file-options" href="#toc-pwmd-configuration-file-options">4 <code>pwmd</code> configuration file options</a></li>
<li><a name="stoc-Configuring-remote-connections-over-TLS_002e" href="#toc-Configuring-remote-connections-over-TLS_002e">5 Configuring remote connections over TLS.</a></li>
<li><a name="stoc-Pinentry-configuration" href="#toc-Pinentry-configuration">6 Pinentry configuration</a></li>
<li><a name="stoc-Protocol-commands-and-their-syntax" href="#toc-Protocol-commands-and-their-syntax">7 Protocol commands and their syntax</a></li>
<li><a name="stoc-AGENT-command" href="#toc-AGENT-command">8 AGENT command</a></li>
<li><a name="stoc-ATTR-command" href="#toc-ATTR-command">9 ATTR command</a></li>
<li><a name="stoc-CACHETIMEOUT-command" href="#toc-CACHETIMEOUT-command">10 CACHETIMEOUT command</a></li>
<li><a name="stoc-CLEARCACHE-command" href="#toc-CLEARCACHE-command">11 CLEARCACHE command</a></li>
<li><a name="stoc-COPY-command" href="#toc-COPY-command">12 COPY command</a></li>
<li><a name="stoc-DELETE-command" href="#toc-DELETE-command">13 DELETE command</a></li>
<li><a name="stoc-DUMP-command" href="#toc-DUMP-command">14 DUMP command</a></li>
<li><a name="stoc-GET-command" href="#toc-GET-command">15 GET command</a></li>
<li><a name="stoc-GETCONFIG-command" href="#toc-GETCONFIG-command">16 GETCONFIG command</a></li>
<li><a name="stoc-GETINFO-command" href="#toc-GETINFO-command">17 GETINFO command</a></li>
<li><a name="stoc-HELP-command" href="#toc-HELP-command">18 HELP command</a></li>
<li><a name="stoc-IMPORT-command" href="#toc-IMPORT-command">19 IMPORT command</a></li>
<li><a name="stoc-ISCACHED-command" href="#toc-ISCACHED-command">20 ISCACHED command</a></li>
<li><a name="stoc-KEYGRIP-command" href="#toc-KEYGRIP-command">21 KEYGRIP command</a></li>
<li><a name="stoc-KILL-command" href="#toc-KILL-command">22 KILL command</a></li>
<li><a name="stoc-LIST-command" href="#toc-LIST-command">23 LIST command</a></li>
<li><a name="stoc-LOCK-command" href="#toc-LOCK-command">24 LOCK command</a></li>
<li><a name="stoc-LS-command" href="#toc-LS-command">25 LS command</a></li>
<li><a name="stoc-MOVE-command" href="#toc-MOVE-command">26 MOVE command</a></li>
<li><a name="stoc-NOP-command" href="#toc-NOP-command">27 NOP command</a></li>
<li><a name="stoc-OPEN-command" href="#toc-OPEN-command">28 OPEN command</a></li>
<li><a name="stoc-OPTION-command" href="#toc-OPTION-command">29 OPTION command</a></li>
<li><a name="stoc-PASSWD-command" href="#toc-PASSWD-command">30 PASSWD command</a></li>
<li><a name="stoc-REALPATH-command" href="#toc-REALPATH-command">31 REALPATH command</a></li>
<li><a name="stoc-RENAME-command" href="#toc-RENAME-command">32 RENAME command</a></li>
<li><a name="stoc-RESET-command" href="#toc-RESET-command">33 RESET command</a></li>
<li><a name="stoc-SAVE-command" href="#toc-SAVE-command">34 SAVE command</a></li>
<li><a name="stoc-STORE-command" href="#toc-STORE-command">35 STORE command</a></li>
<li><a name="stoc-UNLOCK-command" href="#toc-UNLOCK-command">36 UNLOCK command</a></li>
<li><a name="stoc-XPATH-command" href="#toc-XPATH-command">37 XPATH command</a></li>
<li><a name="stoc-XPATHATTR-command" href="#toc-XPATHATTR-command">38 XPATHATTR command</a></li>
<li><a name="stoc-Status-messages-and-their-meanings" href="#toc-Status-messages-and-their-meanings">39 Status messages and their meanings</a></li>
<li><a name="stoc-The-target-attribute" href="#toc-The-target-attribute">40 The <code>target</code> attribute</a></li>
<li><a name="stoc-Recognized-signals" href="#toc-Recognized-signals">41 Recognized signals</a></li>
<li><a name="stoc-Concept-Index-1" href="#toc-Concept-Index-1">Concept Index</a></li>

</ul>
</div>

<a name="SEC_Contents"></a>
<h2 class="contents-heading">Table of Contents</h2>

<div class="contents">
<ul class="no-bullet">
<li><a name="toc-Overview-of-pwmd" href="#Introduction">1 Overview of <code>pwmd</code></a></li>
<li><a name="toc-Access-Control-1" href="#Access-Control">2 Access Control</a></li>
<li><a name="toc-Invoking-pwmd" href="#Invoking">3 Invoking <code>pwmd</code></a></li>
<li><a name="toc-pwmd-configuration-file-options" href="#Configuration">4 <code>pwmd</code> configuration file options</a></li>
<li><a name="toc-Configuring-remote-connections-over-TLS_002e" href="#TLS">5 Configuring remote connections over TLS.</a></li>
<li><a name="toc-Pinentry-configuration" href="#Pinentry">6 Pinentry configuration</a></li>
<li><a name="toc-Protocol-commands-and-their-syntax" href="#Commands">7 Protocol commands and their syntax</a></li>
<li><a name="toc-AGENT-command" href="#AGENT">8 AGENT command</a></li>
<li><a name="toc-ATTR-command" href="#ATTR">9 ATTR command</a></li>
<li><a name="toc-CACHETIMEOUT-command" href="#CACHETIMEOUT">10 CACHETIMEOUT command</a></li>
<li><a name="toc-CLEARCACHE-command" href="#CLEARCACHE">11 CLEARCACHE command</a></li>
<li><a name="toc-COPY-command" href="#COPY">12 COPY command</a></li>
<li><a name="toc-DELETE-command" href="#DELETE">13 DELETE command</a></li>
<li><a name="toc-DUMP-command" href="#DUMP">14 DUMP command</a></li>
<li><a name="toc-GET-command" href="#GET">15 GET command</a></li>
<li><a name="toc-GETCONFIG-command" href="#GETCONFIG">16 GETCONFIG command</a></li>
<li><a name="toc-GETINFO-command" href="#GETINFO">17 GETINFO command</a></li>
<li><a name="toc-HELP-command" href="#HELP">18 HELP command</a></li>
<li><a name="toc-IMPORT-command" href="#IMPORT">19 IMPORT command</a></li>
<li><a name="toc-ISCACHED-command" href="#ISCACHED">20 ISCACHED command</a></li>
<li><a name="toc-KEYGRIP-command" href="#KEYGRIP">21 KEYGRIP command</a></li>
<li><a name="toc-KILL-command" href="#KILL">22 KILL command</a></li>
<li><a name="toc-LIST-command" href="#LIST">23 LIST command</a></li>
<li><a name="toc-LOCK-command" href="#LOCK">24 LOCK command</a></li>
<li><a name="toc-LS-command" href="#LS">25 LS command</a></li>
<li><a name="toc-MOVE-command" href="#MOVE">26 MOVE command</a></li>
<li><a name="toc-NOP-command" href="#NOP">27 NOP command</a></li>
<li><a name="toc-OPEN-command" href="#OPEN">28 OPEN command</a></li>
<li><a name="toc-OPTION-command" href="#OPTION">29 OPTION command</a></li>
<li><a name="toc-PASSWD-command" href="#PASSWD">30 PASSWD command</a></li>
<li><a name="toc-REALPATH-command" href="#REALPATH">31 REALPATH command</a></li>
<li><a name="toc-RENAME-command" href="#RENAME">32 RENAME command</a></li>
<li><a name="toc-RESET-command" href="#RESET">33 RESET command</a></li>
<li><a name="toc-SAVE-command" href="#SAVE">34 SAVE command</a></li>
<li><a name="toc-STORE-command" href="#STORE">35 STORE command</a></li>
<li><a name="toc-UNLOCK-command" href="#UNLOCK">36 UNLOCK command</a></li>
<li><a name="toc-XPATH-command" href="#XPATH">37 XPATH command</a></li>
<li><a name="toc-XPATHATTR-command" href="#XPATHATTR">38 XPATHATTR command</a></li>
<li><a name="toc-Status-messages-and-their-meanings" href="#Status-Messages">39 Status messages and their meanings</a></li>
<li><a name="toc-The-target-attribute" href="#Target-Attribute">40 The <code>target</code> attribute</a></li>
<li><a name="toc-Recognized-signals" href="#Signals">41 Recognized signals</a></li>
<li><a name="toc-Concept-Index-1" href="#Concept-Index">Concept Index</a></li>

</ul>
</div>

<hr>



</body>
</html>