docs: Update yat2m.

[pwmd.git] / doc / pwmd.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.8, https://www.gnu.org/software/texinfo/ -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>pwmd Manual</title>

<meta name="description" content="pwmd Manual">
<meta name="keywords" content="pwmd Manual">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta name="viewport" content="width=device-width,initial-scale=1">

<link href="#Top" rel="start" title="Top">
<link href="#Index" rel="index" title="Index">
<link href="#SEC_Contents" rel="contents" title="Table of Contents">
<link href="dir.html#Top" rel="up" title="(dir)">
<style type="text/css">
<!--
a.copiable-anchor {visibility: hidden; text-decoration: none; line-height: 0em}
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
span:hover a.copiable-anchor {visibility: visible}
ul.no-bullet {list-style: none}
-->
</style>


</head>

<body lang="en">
<h1 class="settitle" align="center">pwmd Manual</h1>




<div class="top" id="Top">
<div class="header">
<p>
Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="SEC_Top"></span>
 

<div class="Contents_element" id="SEC_Contents">
<h2 class="contents-heading">Table of Contents</h2>

<div class="contents">

<ul class="no-bullet">
  <li><a id="toc-Overview-of-pwmd" href="#Introduction">1 Overview of <code>pwmd</code></a></li>
  <li><a id="toc-Access-Control-1" href="#Access-Control">2 Access Control</a></li>
  <li><a id="toc-Cache-Control-1" href="#Cache-Control">3 Cache Control</a></li>
  <li><a id="toc-Invoking-pwmd" href="#Invoking">4 Invoking <code>pwmd</code></a></li>
  <li><a id="toc-pwmd-configuration-file-options" href="#Configuration">5 <code>pwmd</code> configuration file options</a></li>
  <li><a id="toc-Configuring-remote-connections-over-TLS_002e" href="#TLS">6 Configuring remote connections over TLS.</a></li>
  <li><a id="toc-Pinentry-configuration" href="#Pinentry">7 Pinentry configuration</a></li>
  <li><a id="toc-Protocol-commands-and-their-syntax" href="#Commands">8 Protocol commands and their syntax</a>
  <ul class="no-bullet">
    <li><a id="toc-Modifying-element-attributes_002e" href="#ATTR">8.1 Modifying element attributes.</a></li>
    <li><a id="toc-Run-a-series-of-commands-in-sequence_002e" href="#BULK">8.2 Run a series of commands in sequence.</a></li>
    <li><a id="toc-Setting-the-cache-timeout_002e" href="#CACHETIMEOUT">8.3 Setting the cache timeout.</a></li>
    <li><a id="toc-Removing-a-cache-entry_002e" href="#CLEARCACHE">8.4 Removing a cache entry.</a></li>
    <li><a id="toc-Copying-an-element_002e" href="#COPY">8.5 Copying an element.</a></li>
    <li><a id="toc-Deleting-an-element_002e" href="#DELETE">8.6 Deleting an element.</a></li>
    <li><a id="toc-Deleting-a-key-from-the-key-ring_002e" href="#DELETEKEY">8.7 Deleting a key from the key ring.</a></li>
    <li><a id="toc-Showing-the-XML-document_002e" href="#DUMP">8.8 Showing the XML document.</a></li>
    <li><a id="toc-Generating-a-new-key_002e" href="#GENKEY">8.9 Generating a new key.</a></li>
    <li><a id="toc-Getting-the-content-of-an-element_002e" href="#GET">8.10 Getting the content of an element.</a></li>
    <li><a id="toc-Obtaining-a-configuration-value_002e" href="#GETCONFIG">8.11 Obtaining a configuration value.</a></li>
    <li><a id="toc-Obtaining-server-and-client-information_002e" href="#GETINFO">8.12 Obtaining server and client information.</a></li>
    <li><a id="toc-Showing-available-commands_002e" href="#HELP">8.13 Showing available commands.</a></li>
    <li><a id="toc-Creating-elements-from-XML_002e" href="#IMPORT">8.14 Creating elements from XML.</a></li>
    <li><a id="toc-Testing-cache-status_002e" href="#ISCACHED">8.15 Testing cache status.</a></li>
    <li><a id="toc-Showing-keys-used-for-the-current-data-file_002e" href="#KEYINFO">8.16 Showing keys used for the current data file.</a></li>
    <li><a id="toc-Terminating-another-client_002e" href="#KILL">8.17 Terminating another client.</a></li>
    <li><a id="toc-Showing-document-elements_002e" href="#LIST">8.18 Showing document elements.</a></li>
    <li><a id="toc-Listing-keys-in-the-key-ring_002e" href="#LISTKEYS">8.19 Listing keys in the key ring.</a></li>
    <li><a id="toc-Locking-the-current-data-file_002e" href="#LOCK">8.20 Locking the current data file.</a></li>
    <li><a id="toc-Showing-available-data-files_002e" href="#LS">8.21 Showing available data files.</a></li>
    <li><a id="toc-Moving-an-element_002e" href="#MOVE">8.22 Moving an element.</a></li>
    <li><a id="toc-Testing-the-connection_002e" href="#NOP">8.23 Testing the connection.</a></li>
    <li><a id="toc-Opening-a-data-file_002e" href="#OPEN">8.24 Opening a data file.</a></li>
    <li><a id="toc-Setting-various-client-parameters_002e" href="#OPTION">8.25 Setting various client parameters.</a></li>
    <li><a id="toc-Changing-the-passphrase-for-a-key_002e" href="#PASSWD">8.26 Changing the passphrase for a key.</a></li>
    <li><a id="toc-Resolving-an-element_002e" href="#REALPATH">8.27 Resolving an element.</a></li>
    <li><a id="toc-Renaming-an-element_002e" href="#RENAME">8.28 Renaming an element.</a></li>
    <li><a id="toc-Resetting-the-client-state_002e" href="#RESET">8.29 Resetting the client state.</a></li>
    <li><a id="toc-Saving-document-changes-to-disk_002e" href="#SAVE">8.30 Saving document changes to disk.</a></li>
    <li><a id="toc-Modifying-the-content-of-an-element_002e" href="#STORE">8.31 Modifying the content of an element.</a></li>
    <li><a id="toc-Removing-a-data-file-lock_002e" href="#UNLOCK">8.32 Removing a data file lock.</a></li>
    <li><a id="toc-Modifying-more-than-one-element_002e" href="#XPATH">8.33 Modifying more than one element.</a></li>
    <li><a id="toc-Modifying-more-than-one-element_0027s-attributes_002e" href="#XPATHATTR">8.34 Modifying more than one element&rsquo;s attributes.</a></li>
  </ul></li>
  <li><a id="toc-Running-multiple-commands-in-sequence" href="#Bulk-Commands">9 Running multiple commands in sequence</a></li>
  <li><a id="toc-Status-messages-and-their-meanings" href="#Status-Messages">10 Status messages and their meanings</a></li>
  <li><a id="toc-The-target-attribute" href="#Target-Attribute">11 The <code>target</code> attribute</a></li>
  <li><a id="toc-Other-special-attributes" href="#Other-Attributes">12 Other special attributes</a></li>
  <li><a id="toc-Key-Expiration-1" href="#Key-Expiration">13 Key Expiration</a></li>
  <li><a id="toc-Recognized-signals" href="#Signals">14 Recognized signals</a></li>
  <li><a id="toc-Index-1" href="#Index" rel="index">Index</a></li>
</ul>
</div>
</div>
<hr>
<div class="chapter" id="Introduction">
<div class="header">
<p>
Next: <a href="#Access-Control" accesskey="n" rel="next">Access Control</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Overview-of-pwmd"></span><h2 class="chapter">1 Overview of <code>pwmd</code></h2>






<p><em>Password Manager Daemon</em> (or <code>pwmd</code>) is a server that
applications connect to and send commands to put and get data that is stored
in an OpenPGP encrypted <acronym>XML</acronym> document. It mimics a filesystem in a
lot of ways including per element <acronym>ACL</acronym>&rsquo;s, but also has the advantage
of remote connections over <acronym>TLS</acronym> and a document cache. The document cache is
needed for a data file encrypted with secret keys stored on a smartcard.
</p>
<p>The server uses the Assuan protocol and is the same used by
<code>gpg-agent</code>, <code>pinentry</code>, <code>gpgme</code> and
<code>scdaemon</code>. It also uses <cite>libgpg-error</cite> for error reporting with
<var>GPG_ERR_SOURCE_USER_1</var> being the error source.
</p>

<p>The <acronym>XML</acronym> document uses the following <acronym>DTD</acronym>:
</p>
<div class="example">
<pre class="example">    &lt;?xml version=&quot;1.0&quot;?&gt;
    &lt;!DOCTYPE pwmd [
    &lt;!ELEMENT pwmd (element*)&gt;
    &lt;!ATTLIST element _name CDATA #REQUIRED&gt;
    ]&gt;
</pre></div>

<p>The <code>pwmd</code> element is the document root node while all other elements
of the document have the name <code>element</code> with an attribute <code>_name</code>
whose value uniquely identifies the element at the current element tree depth.
It is done this way to avoid <acronym>XML</acronym> parsing errors for commonly used
characters.  A <acronym>URL</acronym> for example would be an invalid <acronym>XML</acronym>
element since the <acronym>URI</acronym> contains a &lsquo;<samp>:</samp>&rsquo; which is also the
<acronym>XML</acronym> namespace separator.
</p>
<p>As mentioned, an element name must be unique for the current element tree
depth. You cannot have two elements containing the same <code>_name</code> attribute
value. <code>pwmd</code> will stop searching for an element of an <em>element
path</em> at the first match then continue searching for the next element of the
element path beginning at the child node of the matched element.
</p>
<p>An <em>element path</em> is a <code>TAB</code> delimited character string where each
<code>TAB</code> separates each element in the path.  For example, the element path
<code>a<code>TAB</code>b<code>TAB</code>c</code> has the following <acronym>XML</acronym> document
structure:
</p>
<div class="example">
<pre class="example">   &lt;pwmd&gt;
            &lt;element _name=&quot;a&quot;&gt;
                &lt;element _name=&quot;b&quot;&gt;
                    &lt;element _name=&quot;c&quot;&gt;
                        [... element value or content ...]
                    &lt;/element&gt;
                &lt;/element&gt;
            &lt;/element&gt;
        &lt;/pwmd&gt;
</pre></div>

<p>The only restriction of an element name is that it contain no whitespace
characters.
</p>
<hr>
</div>
<div class="chapter" id="Access-Control">
<div class="header">
<p>
Next: <a href="#Cache-Control" accesskey="n" rel="next">Cache Control</a>, Previous: <a href="#Introduction" accesskey="p" rel="prev">Overview of <code>pwmd</code></a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Access-Control-1"></span><h2 class="chapter">2 Access Control</h2>

<p>Like a filesystem has an <acronym>ACL</acronym> to grant or limit access to directories
or files for a specific user or group, <code>pwmd</code> can limit a local user,
group or a <acronym>TLS</acronym> connection to a specific element path. This is done
by storing an <acronym>ACL</acronym> in the element attribute <var>_acl</var>. Its syntax is
similar to the <var>allowed</var> configuration parameter (see <a href="#Configuration"><code>pwmd</code> configuration file options</a>)
with the exception that a <acronym>TLS</acronym> fingerprint hash is prefixed with a
<code>#</code>.
</p>
<p>Access is denied for any user that is not in the <acronym>ACL</acronym> of an element
with the exception of an invoking user (see the <var>invoking_user</var>). The
connected client must be in the <acronym>ACL</acronym> for each element in an element
path otherwise an error is returned.  As an example:
</p>
<div class="example">
<pre class="example">&lt;element _name=&quot;test&quot; _acl=&quot;username,-@wheel,root,#ABCDEF&quot;&gt;
        &lt;element _name=&quot;child&quot;/&gt;
&lt;/element&gt;
</pre></div>

<p>The user <code>username</code> would be allowed access to the <code>test</code> element
but not if it is a member of the <code>wheel</code> group although, the <code>root</code>
user, who may be a member of the <code>wheel</code> group, is allowed. The SHA-256
<acronym>TLS</acronym> fingerprint hash <code>#ABCDEF</code> is also allowed.  No users other than an
<var>invoking_user</var> are allowed access to the <code>child</code> element.
</p>
<p>The first user listed in the <acronym>ACL</acronym> is considered the owner of the
element. This determines which clients may modify an <var>_acl</var> attribute and
store content for an element. An <var>invoking_user</var> may always modify an 
<acronym>ACL</acronym>.
</p>
<hr>
</div>
<div class="chapter" id="Cache-Control">
<div class="header">
<p>
Next: <a href="#Invoking" accesskey="n" rel="next">Invoking <code>pwmd</code></a>, Previous: <a href="#Access-Control" accesskey="p" rel="prev">Access Control</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Cache-Control-1"></span><h2 class="chapter">3 Cache Control</h2>



<p>While <code>pwmd</code> has its own cache settings for an <acronym>XML</acronym> document,
<code>gpg-agent</code> has cache settings for the keys used for crypto operations
of a data file. Specifically the <samp>ignore-cache-for-signing</samp>,
<samp>default-cache-ttl</samp> and <samp>max-cache-ttl</samp> options. These
<code>gpg-agent</code> options may need to be adjusted depending on your usage
needs. For example, the <code>OPEN</code> command may not require a passphrase to
open a data file due to the gpg-agent having a cached key even though the
<code>ISCACHED</code> command returns an error indicating the data file is not
cached; which usually means a passphrase would be required. Keys for symmetric
data files are never kept in the <code>gpg-agent</code> cache regardless of
<code>gpg-agent</code> cache settings.
</p>
<p>A copy-on-write operation is done for commands that modify the document; the
client that invoked the command will work on a copy of the in-memory document.
The first client to <code>SAVE</code> the changes to disk will require other clients
to reopen the data file due to the checksum being updated.
</p>
<hr>
</div>
<div class="chapter" id="Invoking">
<div class="header">
<p>
Next: <a href="#Configuration" accesskey="n" rel="next"><code>pwmd</code> configuration file options</a>, Previous: <a href="#Cache-Control" accesskey="p" rel="prev">Cache Control</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Invoking-pwmd"></span><h2 class="chapter">4 Invoking <code>pwmd</code></h2>


<p><code>pwmd</code> uses GpgME for encryption, decryption and signing of the
OpenPGP data file. GpgME itself makes use of <code>gpg</code> for these
operations so some configuration of <code>gpg</code> may be needed.  Pwmd spawns
a separate <code>gpg-agent</code> process when <var>gpg_homedir</var>
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) is not set to an instance of an already running
gpg-agent. Any <code>gpg</code> configuration options that you need set should be
put in <var>~/.pwmd/.gnupg/gpg.conf</var> or the <var>gpg.conf</var> file located in
<var>gpg_homedir</var>. The same is true for the <var>gpg-agent.conf</var> file to set
any required <code>gpg-agent</code> options.
</p>
<p>It is recommended to pass the <samp>--allow-preset-passphrase</samp>
option to <code>gpg-agent</code>. Doing so allows <code>pwmd</code>
cache pushing on startup. It is also recommended to pass the
<samp>--allow-loopback-pinentry</samp> to <code>gpg-agent</code> (this is the default
as of gnupg-2.1.15). This option allows a passphrase to be inquired from
<code>pwmd</code> when a <code>pinentry</code> is unavailable to the client
(see <a href="#TLS">Configuring remote connections over TLS.</a>).
</p>
<p>If you would like to use a keypair from your default gnupg keyring located in
~/.gnupg, but would still like to use a separate gpg-agent process (the
default), you would need to first export the public key from the default
keyring then import it into the keyring that pwmd uses. You can do this by
first exporting the public key, then use the <samp>--homedir ~/.pwmd/.gnupg</samp>
option of <code>gpg</code> to import it into the new keyring. For private keys,
you would need to copy the private key associated with the exported public key
to <var>~/.pwmd/.gnupg/private-keys-v1.d</var>. If the private key is stored on
a smartcard you can also use the <code>KEYINFO --learn</code> command
(see <a href="#KEYINFO">Showing keys used for the current data file.</a>).
</p>
<span id="index-Running-pwmd"></span>
<p><code>pwmd</code> is executed as follows: 
</p> 
<div class="example">
<pre class="example">pwmd <var>options</var> [ file1 ] [ &hellip; ]
</pre></div>

<p>Non-option arguments are data files to cache upon startup. When the data file
requires a passphrase for decryption a <code>pinentry</code> will prompt either
on the current TTY or from an X11 window when the <code>DISPLAY</code>
environment variable is set. See <a href="#Pinentry">Pinentry configuration</a>.
</p>
<span id="index-Options"></span>
<span id="index-Arguments"></span>
<p>The following command line options are supported:
</p>
<span id="index-Getting-help"></span>
<dl compact="compact">
<dt><span>&lsquo;<samp>--debug protocol:level[,protocol:level]</samp>&rsquo;</span></dt>
<dd><p>Enable debugging output. This option can output sensitive information such as
passphrases and secret keys so care should be taken where the output gets
written to. The <var>protocol</var> is a single character representing the protocol
to log. Use <code>a</code> for <code>libassuan</code> with <var>level</var> being one or more
character flags: <code>i</code> for init, <code>x</code> for context, <code>e</code> for engine,
<code>d</code> for data, <code>s</code> for system IO or <code>c</code> for control.  To debug
<code>gpgme</code> use <code>g</code> as the <var>protocol</var> with <var>level</var> being an
integer from <code>1</code> to <code>9</code>. To enable <acronym>TLS</acronym> debugging output
use <code>t</code> as the <var>protocol</var> with <var>level</var> being an integer from
<code>1</code> to <code>9</code>. A value over <code>10</code> will enable all <acronym>TLS</acronym>
debugging output with <code>1</code> being the default.
</p>
</dd>
<dt><span>&lsquo;<samp>--homedir directory</samp>&rsquo;</span></dt>
<dd><p>The root directory where pwmd will store its data and temporary files.  The
default is <samp>~/.pwmd</samp>.
</p>
</dd>
<dt><span>&lsquo;<samp>--rcfile, -f rcfile</samp>&rsquo;</span></dt>
<dd><p>Specify an alternate configuration file. The default is
<samp>~/.pwmd/config</samp>.
</p>
</dd>
<dt><span>&lsquo;<samp>--kill</samp>&rsquo;</span></dt>
<dd><p>Terminate an existing instance of pwmd. The process to terminate is determined
from the <samp>--homedir</samp> and <samp>--rcfile</samp> options.
</p>
</dd>
<dt><span>&lsquo;<samp>--import, -I filename|-</samp>&rsquo;</span></dt>
<dd><p>Imports the <acronym>XML</acronym> <var>filename</var>. When <var>filename</var> is <code>-</code> the
<acronym>XML</acronym> is read from <code>stdin</code>. The <acronym>XML</acronym> file should be in conformance to
the <code>pwmd</code> <acronym>DTD</acronym> (see <a href="#Introduction">Overview of <code>pwmd</code></a>). You will be prompted for
a passphrase to encrypt with.  The output is written to the filename specified
with <samp>--outfile</samp>. To make use of the imported data, place the output
file in <samp>~/.pwmd/data</samp>.
</p>
</dd>
<dt><span>&lsquo;<samp>--output, -o filename|-</samp>&rsquo;</span></dt>
<dd><p>When importing, write the encrypted data file to <var>filename</var>. When
<var>filename</var> is <code>-</code> output will be written to <code>stdout</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>--passphrase-file, -k filename&quot;</samp>&rsquo;</span></dt>
<dd><p>Obtain the passphrase to use when importing from the specified <var>filename</var>.
</p>
</dd>
<dt><span>&lsquo;<samp>--keyid fingerprint[,fingerprint,...]</samp>&rsquo;</span></dt>
<dd><p>Specifies the fingerprint of the encryption key to use as a recipient when
importing. When not specified a new key-pair will be created.
</p>
</dd>
<dt><span>&lsquo;<samp>--sign-keyid fingerprint</samp>&rsquo;</span></dt>
<dd><p>Specifies the fingerprint of the signing key to use for signing of the data
file when importing.  When not specified the signing key of the generated
key-pair or the signing key of the <samp>--keyid</samp> option will be used.
</p>
</dd>
<dt><span>&lsquo;<samp>--symmetric, -s</samp>&rsquo;</span></dt>
<dd><p>Use symmetric or conventional encryption rather than pubic key encryption when
importing.  Signing is still possible by using the <samp>--sign-keyid</samp>
option. By default no signing is done when specifying this option.
</p>
</dd>
<dt><span>&lsquo;<samp>--userid string</samp>&rsquo;</span></dt>
<dd><p>When importing, the user id used to identify the generated key. This should be
in the form <code>First Last &lt;email&gt;</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>--algo string</samp>&rsquo;</span></dt>
<dd><p>When importing, the algorithm to use when generating the new key pair. The
default is determined by <code>gpg</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>--expire seconds</samp>&rsquo;</span></dt>
<dd><p>When importing, the time, in seconds since epoch, when the generated key will
expire. Specifying <code>0</code> will never expire the key. The default is three
years.
</p>
</dd>
<dt><span>&lsquo;<samp>--no-passphrase</samp>&rsquo;</span></dt>
<dd><p>When importing, don&rsquo;t require a passphrase for the generated key.
</p>
</dd>
<dt><span>&lsquo;<samp>--disable-dump</samp>&rsquo;</span></dt>
<dd><p>Disable the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and <code>DUMP</code>
protocol commands (see <a href="#Commands">Protocol commands and their syntax</a>). This overrides any
<var>disable_list_and_dump</var> configuration parameter (see <a href="#Configuration"><code>pwmd</code> configuration file options</a>).
</p>
</dd>
<dt><span>&lsquo;<samp>--no-fork, -n</samp>&rsquo;</span></dt>
<dd><p>Run as a foreground process and do not fork into the background.
</p>
</dd>
<dt><span>&lsquo;<samp>--force</samp>&rsquo;</span></dt>
<dd><p>Ignore cache pushing failures on startup. By default, <code>pwmd</code> will exit
if an error occurred due to an invalid passphrase or other error.
</p>
</dd>
<dt><span>&lsquo;<samp>--version</samp>&rsquo;</span></dt>
<dd><p>Show the version, copyright and compile time features and exit.
</p>
</dd>
<dt><span>&lsquo;<samp>--help</samp>&rsquo;</span></dt>
<dd><p>Print a summary of options.
</p></dd>
</dl>


<hr>
</div>
<div class="chapter" id="Configuration">
<div class="header">
<p>
Next: <a href="#TLS" accesskey="n" rel="next">Configuring remote connections over TLS.</a>, Previous: <a href="#Invoking" accesskey="p" rel="prev">Invoking <code>pwmd</code></a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="pwmd-configuration-file-options"></span><h2 class="chapter">5 <code>pwmd</code> configuration file options</h2>


<p>If no configuration file is specified with the <code>pwmd</code> <samp>-f</samp>
command line option, <code>pwmd</code> will read <samp>~/.pwmd/config</samp> if it
exists, and if not, will use defaults.  Blank lines and lines beginning with
&lsquo;<samp>#</samp>&rsquo; are ignored. Some parameters may have data file specific settings by
placing them in a file section. A file section is declared by surrounding the
filename with braces (i.e., &lsquo;<samp>[filename]</samp>&rsquo;).  Global options may be
specified in the <code>global</code> section &lsquo;<samp>e.g., [global]</samp>&rsquo; and are the
default options for new or unspecified file sections.
</p>
<p>A tilde <code>~</code> will be expanded to the home directory of the user starting
<code>pwmd</code> when contained in a parameter whose value is a filename.
</p>
<span id="index-Reloading-the-configuration-file"></span>
<p>The configuration file can be reloaded by sending the <em>SIGHUP</em> signal to
a <code>pwmd</code> process. Some security sensitive settings may not be changed
until <code>pwmd</code> is restarted.
</p>
<span id="index-Global-configuration-options"></span>
<p>The following options are only for use in the <code>[global]</code> section:
</p>
<dl compact="compact">
<dt><span>&lsquo;<samp>socket_path = /path/to/socket</samp>&rsquo;</span></dt>
<dd><p>Listen on the specified socket. The default is <samp>~/.pwmd/socket</samp>.
</p>
</dd>
<dt><span>&lsquo;<samp>socket_perms = octal_mode</samp>&rsquo;</span></dt>
<dd><p>Permissions to set after creating the socket. This will override any
<cite>umask(2)</cite> setting.
</p>
</dd>
<dt><span>&lsquo;<samp>backlog = integer</samp>&rsquo;</span></dt>
<dd><p>The number of connections to queue. When this limit is reached then new
connections will be refused. The default is <code>128</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>invoking_user = [-!]user,[-!]@group,[-!]#SHA-256,...</samp>&rsquo;</span></dt>
<dd><p>This parameter is not to be confused with setuid or setguid upon startup. It&rsquo;s
syntax is the same as the <code>allowed</code> parameter except that it is a list of
local usernames, group names and <acronym>TLS</acronym> fingerprint hashes that may use the
<code>XPATH</code>, <code>XPATHATTR</code> and <code>DUMP</code> commands (except when
disabled with the <code>disable_list_and_dump</code> option) and also who may modify
elements that have no <code>_acl</code> attribute or is not listed in an
<code>_acl</code>. It is similar to the system administrator root account but for a
data file and element paths (see <a href="#Access-Control">Access Control</a>). The default is specified
at compile-time and also by default is the user <code>nobody</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>invoking_file = filename</samp>&rsquo;</span></dt>
<dd><p>A file containing one entry per line. An entry has the same syntax as the
<code>invoking_user</code> parameter. When both this parameter and the
<code>invoking_user</code> parameter are specified then the <code>invoking_user</code>
parameter will behave as if the <code>invoking_file</code> entries have been
appended to the <code>invoking_user</code> parameter value.
</p>
</dd>
<dt><span>&lsquo;<samp>strict_open = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>true</code>, disallow creation of a new data file when the current client
is not an <code>invoking_user</code>. The default is <code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>strict_kill = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>false</code>, the <code>KILL</code> command (see <a href="#KILL">Terminating another client.</a>) will allow killing
another client that is not of the same <code>UID</code> or <acronym>TLS</acronym> fingerprint of
the current client and when not an <code>invoking_user</code>. The default us
<code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>allowed = [-!]user,[-!]@group,[-!]/path/to/exec,[+,][-!]#SHA-256,...</samp>&rsquo;</span></dt>
<dd><p>A comma separated list of local user names, group names or <acronym>TLS</acronym>
fingerprint SHA-256 hashes (in the case of a remote client) which are
allowed to connect.  Groups should be prefixed with a &lsquo;<samp>@</samp>&rsquo;. When not
specified only the user who started <code>pwmd</code> may connect. An entry in
the list may be prefixed with a <code>-</code> or <code>!</code> to prevent access. The
order of the list is important since a user may be a member of multiple
groups, for example.
</p>
<p>Connections from local clients may also be limited by command name. A command
name is the full path to the execuatble on the filesystem. The command check
is done after all other user and group name checks. When no command is
specified all commands are allowed. When the connecting client is not of the
same <acronym>UID</acronym> as the user that invoked <code>pwmd</code> this feature is
ignored.
</p>
<p>This parameter may also be specified in a filename section to allow or deny a
client to <code>OPEN</code> (see <a href="#OPEN">Opening a data file.</a>) a data file. It also affects the cache
commands <code>CLEARCACHE</code> (see <a href="#CLEARCACHE">Removing a cache entry.</a>) and <code>CACHETIMEOUT</code>
(see <a href="#CACHETIMEOUT">Setting the cache timeout.</a>). When not specified in a file section, any client
allowed to connect may also open any filename provided they can decrypt it.
Note that when specified in a file section that any <var>allowed</var> parameter in
the <code>global</code> seciton is not considered.
</p>
<p>The following example would deny all users in group <code>primary</code> but
allow <code>username</code> who may be a member of <code>primary</code>. It will also
allow any <acronym>TLS</acronym> client except for the client with <acronym>TLS</acronym>
fingerprint hash <code>#ABCDEF</code>. For local connections, the connecting client
must be using the /usr/bin/pwmc program:
</p>
<div class="example">
<pre class="example">allowed=-@primary,username,+,!#ABCDEF,/usr/bin/pwmc
</pre></div>

</dd>
<dt><span>&lsquo;<samp>allowed_file = filename</samp>&rsquo;</span></dt>
<dd><p>A file containing one entry per line. An entry has the same syntax as the
<code>allowed</code> parameter except that a line beginning with a semicolon is
ignored. When both this parameter and the <code>allowed</code> parameter are
specified then the <code>allowed_file</code> entries will be appended to the
<code>allowed</code> parameter value.
</p>
</dd>
<dt><span>&lsquo;<samp>encrypt_to = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>true</code> and <code>SAVE</code>&rsquo;ing a data file, allow <code>gpg</code> to
append it&rsquo;s configured key to the list of recipients. The default is
<code>false</code> meaning that only keys specified with <code>SAVE</code>
<samp>--keyid</samp> are recipients.
</p>
</dd>
<dt><span>&lsquo;<samp>always_trust = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>true</code>, allow encrypting to untrusted recipients or public
encryption keys. If you receive an error when <code>SAVE</code>&rsquo;ing stating that
the public key is unusable, either enable this option or edit the keys&rsquo; trust
value:
</p><div class="example">
<pre class="example">gpg --homedir ~/.pwmd/.gnupg --edit-key &lt;fingerprint&gt;
</pre></div>
<p>The default is <code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>gpg_homedir = path</samp>&rsquo;</span></dt>
<dd><p>The location where <code>gpg</code> will store its public and private keys and
configuration. The default is <samp>HOMEDIR/.gnupg</samp> where <var>HOMEDIR</var> is the
default (<samp>~/.pwmd</samp>) or the value specified on the command line with the
<samp>--homedir</samp> command line option (see <a href="#Invoking">Invoking <code>pwmd</code></a>). If you want to use
your standard <code>gpg</code> keyring then set this to <samp>~/.gnupg</samp>. Note
that a new instance of <code>gpg-agent</code> will be started when <em>not</em>
using the standard keyring and that any configuration options for
<code>gpg-agent</code> will need to placed in
<samp>HOMEDIR/.gnupg/gpg-agent.conf</samp>.
</p>
</dd>
<dt><span>&lsquo;<samp>disable_mlockall = boolean</samp>&rsquo;</span></dt>
<dd><p>When set to <code>false</code>, <cite>mlockall(2)</cite> will be called on startup.  This
will use more physical memory but may also be more secure since no swapping to
disk will occur. The default is <var>true</var>. If possible, use an encrypted swap
file or partition and leave this set to <var>true</var>.
</p>
</dd>
<dt><span>&lsquo;<samp>log_path = /path/to/logfile</samp>&rsquo;</span></dt>
<dd><p>Logs informational messages to the specified file. The default is
<samp>~/.pwmd/log</samp>.
</p>
</dd>
<dt><span>&lsquo;<samp>enable_logging = boolean</samp>&rsquo;</span></dt>
<dd><p>Enable or disable logging to <var>log_path</var>. The default is <code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>log_keepopen = boolean</samp>&rsquo;</span></dt>
<dd><p>When set to <code>false</code>, the log file specified with <var>log_path</var> will be
closed after writing each line. The default is <code>true</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>syslog = boolean</samp>&rsquo;</span></dt>
<dd><p>Enable logging to <cite>syslog(8)</cite> with facility <em>LOG_DAEMON</em> and priority
<em>LOG_INFO</em>. The default is <code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>log_level = level</samp>&rsquo;</span></dt>
<dd><p>When <code>0</code>, only connections and errors are logged. When <code>1</code>, data
file recipients and signers are logged during <code>OPEN</code> (see <a href="#OPEN">Opening a data file.</a>) and
<code>SAVE</code> (see <a href="#SAVE">Saving document changes to disk.</a>). When <code>2</code>, client commands are also logged.
The default is <code>0</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>kill_scd = boolean</samp>&rsquo;</span></dt>
<dd><p>Attempt to kill <code>scdaemon</code> after a client disconnects.  The default is
<code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>disable_list_and_dump = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>true</code> the <code>XPATH</code>, <code>XPATHATTR</code>, <code>LIST</code> and
<code>DUMP</code> protocol commands (see <a href="#Commands">Protocol commands and their syntax</a>) will be disabled.
</p>
</dd>
<dt><span>&lsquo;<samp>cache_push = file1,file2</samp>&rsquo;</span></dt>
<dd><p>A comma separated list of filenames to be cached upon startup. <code>pwmd</code>
will prompt for the passphrase for each file unless specified with
<var>passphrase_file</var> parameter in a matching file section.
</p>
</dd>
<dt><span>&lsquo;<samp>priority = integer</samp>&rsquo;</span></dt>
<dd><p>The priority or niceness of the server. The default is inherited from the
parent process.
</p>
</dd>
<dt><span>&lsquo;<samp>lock_timeout = integer</samp>&rsquo;</span></dt>
<dd><p>The default timeout in tenths of a second before giving up while waiting for a
file lock and returning an error. The default is <code>50</code>.
</p>
</dd>
</dl>

<span id="index-Data-file-configuration-options"></span>
<p>The following options are defaults for new files when specified in the
&lsquo;<samp>global</samp>&rsquo; section. When placed in a data file section they are options
specific to that data file only.
</p>
<dl compact="compact">
<dt><span>&lsquo;<samp>require_save_key = boolean</samp>&rsquo;</span></dt>
<dd><p>Require the passphrase needed for signing before writing changes of the
document to disk regardless of the key cache status. The default is
<code>true</code>. This option compliments <code>gpg-agent</code> option
<samp>--ignore-cache-for-signing</samp> and is used as a fail-safe.
</p>
</dd>
<dt><span>&lsquo;<samp>backup = boolean</samp>&rsquo;</span></dt>
<dd><p>Whether to create a backup of the data file when saving. The backup filename
has the <samp>.backup</samp> extension appended to the opened file. The default is
<code>true</code>. 
</p>
</dd>
<dt><span>&lsquo;<samp>cache_timeout = seconds</samp>&rsquo;</span></dt>
<dd><p>The number of seconds to keep the cache entry for this file. If <code>-1</code>, the
cache entry is kept forever. If <code>0</code>, each time an encrypted file is
<code>OPEN</code>ed (see <a href="#OPEN">Opening a data file.</a>) a passphrase will be required. The default
is <code>600</code> or 10 minutes.
</p>
</dd>
<dt><span>&lsquo;<samp>passphrase_file = /path/to/filename</samp>&rsquo;</span></dt>
<dd><p>Obtain the passphrase to open the data file from <var>filename</var>. If specified
in the &lsquo;<samp>global</samp>&rsquo; section then the <var>passphrase_file</var> is a default for
all data files. Note that if a client changes the passphrase for this data
file then the <var>passphrase_file</var> will need to be updated with the new
passphrase.
</p>
</dd>
<dt><span>&lsquo;<samp>recursion_depth = integer</samp>&rsquo;</span></dt>
<dd><p>The maximum number of times to resolve a <code>_target</code> attribute for an
element in an element path (see <a href="#Target-Attribute">The <code>target</code> attribute</a>). An error is returned
when this value is exceeded.  The default is <code>100</code> but can be disabled by
setting to <code>0</code> (<em>not recommended</em>).
</p>
</dd>
<dt><span>&lsquo;<samp>allowed = [-]user,[-]@group,[!]#TLSFINGERPRINT,...</samp>&rsquo;</span></dt>
<dd><p>Same parameter value as the <code>allowed</code> parameter mentioned above in
the &lsquo;<samp>[global]</samp>&rsquo; section but grants or denies a client from opening a
specific data file. The default is to allow any client that is allowed to
connect.
</p>
</dd>
</dl>

<hr>
</div>
<div class="chapter" id="TLS">
<div class="header">
<p>
Next: <a href="#Pinentry" accesskey="n" rel="next">Pinentry configuration</a>, Previous: <a href="#Configuration" accesskey="p" rel="prev"><code>pwmd</code> configuration file options</a>, Up: <a href="#Configuration" accesskey="u" rel="up"><code>pwmd</code> configuration file options</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Configuring-remote-connections-over-TLS_002e"></span><h2 class="chapter">6 Configuring remote connections over TLS.</h2>
<p>In addition to connecting to <code>pwmd</code> via a Unix Domain Socket, remote
connections can also be made to <code>pwmd</code> over <acronym>TLS</acronym>.
Authentication is done by using X.509 client certificates that are signed with
the same Certificate Authority (CA) as the server certificate.
</p>
<p>The CA certificate is expected to be found in
<samp>~/.pwmd/ca-cert.pem</samp> while the <code>pwmd</code> server certificate and key
file should be put in <samp>~/.pwmd/server-cert.pem</samp> and
<samp>~/.pwmd/server-key.pem</samp>, respectively.
</p>
<p>See the documentation of <code>certtool</code> or <code>openssl</code> for details
about creating self-signed certificates.
</p>
<p>The following <acronym>TLS</acronym> configuration options are available:
</p>
<dl compact="compact">
<dt><span>&lsquo;<samp>enable_tcp = boolean</samp>&rsquo;</span></dt>
<dd><p>Whether to enable <acronym>TCP</acronym>/<acronym>TLS</acronym> server support. If enabled, both <acronym>TCP</acronym> and the local
unix domain socket will listen for connections. The default is
<code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tcp_port = integer</samp>&rsquo;</span></dt>
<dd><p>The <acronym>TCP</acronym> port to listen on when <var>enable_tcp</var> is <code>true</code>. The default is
<code>6466</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tcp_bind = string</samp>&rsquo;</span></dt>
<dd><p>The internet protocol to listen with. Must be one of <code>ipv4</code>, <code>ipv6</code>
or <code>any</code> to listen for both IPv4 and IPv6 connections. The default is
<code>any</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tcp_interface = string</samp>&rsquo;</span></dt>
<dd><p>Only useful if running as root.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_timeout = seconds</samp>&rsquo;</span></dt>
<dd><p>The number of seconds to wait for a read() or write() call on a
<acronym>TLS</acronym> client file descriptor to complete before returning an
error. The default is <var>300</var>.
</p>
</dd>
<dt><span>&lsquo;<samp>keepalive_interval = seconds</samp>&rsquo;</span></dt>
<dd><p>Send a keepalive status message to an idle remote client.  An idle
client is one that is not in a command. The purpose of this status
message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is <code>60</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tcp_require_key = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>true</code>, require the remote client to provide the passphrase to open
a data file even if the file is cached.  This option is a default for all
files when specified in the &lsquo;<samp>[global]</samp>&rsquo; section. The default is
<code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_cipher_suite = string</samp>&rsquo;</span></dt>
<dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
information about the format of this string. The default is
<code>SECURE256:SECURE192:SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-AES-128-CBC:-AES-256-CBC</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_dh_params_file = filename</samp>&rsquo;</span></dt>
<dd><p>The PEM encoded filename containing DH parameters. If not specified
then DH algorithms will not be available to the client. See the
<code>openssl dhparam</code> or <code>certtool</code> manual pages for details about
generating this file.
</p>
<p>Note that SIGHUP will not reload this file once <acronym>TLS</acronym> support has been enabled.
You will need to restart <code>pwmd</code> for changes to take effect.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_use_crl = boolean</samp>&rsquo;</span></dt>
<dd><p>When <code>true</code>, enable the use of <samp>tls_crl_file</samp>. The default is
<code>false</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_crl_file = filename</samp>&rsquo;</span></dt>
<dd><p>This file is an X.509 Certificate Revocation List (<acronym>CRL</acronym>) and can be
used to deny clients by adding client certificates to it. <code>pwmd</code> will
need to be restarted to recognize any changes to this file.  When not
specified the default of <samp>~/.pwmd/crl.pem</samp> will be used when
<samp>tls_use_crl</samp> is <code>true</code>.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_ca_file = filename</samp>&rsquo;</span></dt>
<dd><p>The filename of the <acronym>CA</acronym> certificate to use. When not specified the
default of <samp>~/.pwmd/ca-cert.pem</samp> will be used.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_server_cert_file = filename</samp>&rsquo;</span></dt>
<dd><p>The filename of the server certificate to use. When not specified the default
of <samp>~/.pwmd/server-cert.pem</samp> will be used.
</p>
</dd>
<dt><span>&lsquo;<samp>tls_server_key_file = filename</samp>&rsquo;</span></dt>
<dd><p>The key filename of the server certificate to use. When not specified the
default of <samp>~/.pwmd/server-key.pem</samp> will be used.
</p>
</dd>
</dl>

<hr>
</div>
<div class="chapter" id="Pinentry">
<div class="header">
<p>
Next: <a href="#Commands" accesskey="n" rel="next">Protocol commands and their syntax</a>, Previous: <a href="#TLS" accesskey="p" rel="prev">Configuring remote connections over TLS.</a>, Up: <a href="#Configuration" accesskey="u" rel="up"><code>pwmd</code> configuration file options</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Pinentry-configuration"></span><h2 class="chapter">7 Pinentry configuration</h2>

<p>The <code>pinentry</code> program is used to prompt the user for passphrase
input or as a confirmation dialog; it needs to know where to prompt for
the input; from a terminal or an X11 display.
</p>
<p>It is the responsibility of the client to tell <code>pinentry</code> about the
terminal or X11 display before requiring the input. This is done with the
<code>OPTION</code> command (see <a href="#OPTION">Setting various client parameters.</a>) to either set or unset needed
<code>pwmd</code> environment variables and by using the
<code>gpg-connect-agent</code> program. Please read it&rsquo;s documentation about the
<em>UPDATESTARTUPTTY</em> command.
</p>
<hr>
</div>
<div class="chapter" id="Commands">
<div class="header">
<p>
Next: <a href="#Bulk-Commands" accesskey="n" rel="next">Running multiple commands in sequence</a>, Previous: <a href="#Pinentry" accesskey="p" rel="prev">Pinentry configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Protocol-commands-and-their-syntax"></span><h2 class="chapter">8 Protocol commands and their syntax</h2>
<ul class="section-toc">
<li><a href="#ATTR" accesskey="1">Modifying element attributes.</a></li>
<li><a href="#BULK" accesskey="2">Run a series of commands in sequence.</a></li>
<li><a href="#CACHETIMEOUT" accesskey="3">Setting the cache timeout.</a></li>
<li><a href="#CLEARCACHE" accesskey="4">Removing a cache entry.</a></li>
<li><a href="#COPY" accesskey="5">Copying an element.</a></li>
<li><a href="#DELETE" accesskey="6">Deleting an element.</a></li>
<li><a href="#DELETEKEY" accesskey="7">Deleting a key from the key ring.</a></li>
<li><a href="#DUMP" accesskey="8">Showing the XML document.</a></li>
<li><a href="#GENKEY" accesskey="9">Generating a new key.</a></li>
<li><a href="#GET">Getting the content of an element.</a></li>
<li><a href="#GETCONFIG">Obtaining a configuration value.</a></li>
<li><a href="#GETINFO">Obtaining server and client information.</a></li>
<li><a href="#HELP">Showing available commands.</a></li>
<li><a href="#IMPORT">Creating elements from XML.</a></li>
<li><a href="#ISCACHED">Testing cache status.</a></li>
<li><a href="#KEYINFO">Showing keys used for the current data file.</a></li>
<li><a href="#KILL">Terminating another client.</a></li>
<li><a href="#LIST">Showing document elements.</a></li>
<li><a href="#LISTKEYS">Listing keys in the key ring.</a></li>
<li><a href="#LOCK">Locking the current data file.</a></li>
<li><a href="#LS">Showing available data files.</a></li>
<li><a href="#MOVE">Moving an element.</a></li>
<li><a href="#NOP">Testing the connection.</a></li>
<li><a href="#OPEN">Opening a data file.</a></li>
<li><a href="#OPTION">Setting various client parameters.</a></li>
<li><a href="#PASSWD">Changing the passphrase for a key.</a></li>
<li><a href="#REALPATH">Resolving an element.</a></li>
<li><a href="#RENAME">Renaming an element.</a></li>
<li><a href="#RESET">Resetting the client state.</a></li>
<li><a href="#SAVE">Saving document changes to disk.</a></li>
<li><a href="#STORE">Modifying the content of an element.</a></li>
<li><a href="#UNLOCK">Removing a data file lock.</a></li>
<li><a href="#XPATH">Modifying more than one element.</a></li>
<li><a href="#XPATHATTR">Modifying more than one element&rsquo;s attributes.</a></li>
</ul>
<hr>
<div class="section" id="ATTR">
<div class="header">
<p>
Next: <a href="#BULK" accesskey="n" rel="next">Run a series of commands in sequence.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Modifying-element-attributes_002e"></span><h3 class="section">8.1 Modifying element attributes.</h3>
<span id="index-ATTR-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">ATTR [--inquire] SET|GET|DELETE|LIST [&lt;attribute&gt;] element[&lt;TAB&gt;child[..]] ..
</pre></div>

<dl compact="compact">
<dt><span>ATTR SET attribute element[&lt;TAB&gt;child[..]] [value]</span></dt>
<dd><p>Stores or updates an <var>attribute</var> name and optional <var>value</var> of an 
element. When no <var>value</var> is specified any existing value will be removed.
<br><br>
</p></dd>
<dt><span>ATTR DELETE attribute element[&lt;TAB&gt;child[..]]</span></dt>
<dd><p>Removes an attribute from an element. If <var>attribute</var> is <code>_name</code> 
or <code>target</code> an error is returned. Use the <code>DELETE</code> command 
(see <a href="#DELETE">Deleting an element.</a>) instead.
<br><br>
</p></dd>
<dt><span>ATTR LIST element[&lt;TAB&gt;child[..]]</span></dt>
<dd><p>Retrieves a newline separated list of attributes names and values 
from the specified element. Each attribute name and value is space delimited.
<br><br>
</p></dd>
<dt><span>ATTR GET attribute element[&lt;TAB&gt;child[..]]</span></dt>
<dd><p>Retrieves the value of an <var>attribute</var> from an element.
</p></dd>
</dl>
<br><br>
<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
<br><br>
See <a href="#Target-Attribute">The <code>target</code> attribute</a>, for details about this special attribute and also 
see <a href="#Other-Attributes">Other special attributes</a> for other attributes that are handled specially 
by <code>pwmd</code>.
</p>

<hr>
</div>
<div class="section" id="BULK">
<div class="header">
<p>
Next: <a href="#CACHETIMEOUT" accesskey="n" rel="next">Setting the cache timeout.</a>, Previous: <a href="#ATTR" accesskey="p" rel="prev">Modifying element attributes.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Run-a-series-of-commands-in-sequence_002e"></span><h3 class="section">8.2 Run a series of commands in sequence.</h3>
<span id="index-BULK-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">BULK [--inquire]
</pre></div>

<p>Parses a semi-canonical s-expression representing a series of protocol 
commands to be run in sequence (see <a href="#Bulk-Commands">Running multiple commands in sequence</a>). Returns a canonical 
s-expression containing each commands id, return value and result data 
(if any).
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="CACHETIMEOUT">
<div class="header">
<p>
Next: <a href="#CLEARCACHE" accesskey="n" rel="next">Removing a cache entry.</a>, Previous: <a href="#BULK" accesskey="p" rel="prev">Run a series of commands in sequence.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Setting-the-cache-timeout_002e"></span><h3 class="section">8.3 Setting the cache timeout.</h3>
<span id="index-CACHETIMEOUT-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">CACHETIMEOUT &lt;seconds&gt;
</pre></div>

<p>The time in <var>seconds</var> until the currently opened data file will be 
removed from the cache. <code>-1</code> will keep the cache entry forever, 
<code>0</code> will require the passphrase for each <code>OPEN</code> command 
(see <a href="#OPEN">Opening a data file.</a>) or <code>SAVE</code> (see <a href="#SAVE">Saving document changes to disk.</a>) command. See <a href="#Configuration"><code>pwmd</code> configuration file options</a>, 
and the <code>cache_timeout</code> parameter.
</p>

<hr>
</div>
<div class="section" id="CLEARCACHE">
<div class="header">
<p>
Next: <a href="#COPY" accesskey="n" rel="next">Copying an element.</a>, Previous: <a href="#CACHETIMEOUT" accesskey="p" rel="prev">Setting the cache timeout.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Removing-a-cache-entry_002e"></span><h3 class="section">8.4 Removing a cache entry.</h3>
<span id="index-CLEARCACHE-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">CLEARCACHE [&lt;filename&gt;]
</pre></div>

<p>Clears a file cache entry for all or the specified <var>filename</var>. Note that 
this will also clear any <code>gpg-agent</code> cached keys which may cause 
problems if another data file shares the same keys as <var>filename</var>.
<br><br>
When clearing all cache entries a permissions test is done against the 
current client based on the <var>allowed</var> configuration parameter in a 
<var>filename</var> section. Both a cache entry may be cleared and an error 
returned depending on cached data files and client permissions.
</p>

<hr>
</div>
<div class="section" id="COPY">
<div class="header">
<p>
Next: <a href="#DELETE" accesskey="n" rel="next">Deleting an element.</a>, Previous: <a href="#CLEARCACHE" accesskey="p" rel="prev">Removing a cache entry.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Copying-an-element_002e"></span><h3 class="section">8.5 Copying an element.</h3>
<span id="index-COPY-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">COPY [--inquire] source[&lt;TAB&gt;child[..]] dest[&lt;TAB&gt;child[..]]
</pre></div>

<p>Copies the entire element tree starting from the child node of the source 
element, to the destination element path. If the destination element path 
does not exist then it will be created; otherwise it is overwritten.
<br><br>
Note that attributes from the source element are merged into the 
destination element when the destination element path exists. When an 
attribute of the same name exists in both the source and destination 
elements then the destination attribute will be updated to the source 
attribute value.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="DELETE">
<div class="header">
<p>
Next: <a href="#DELETEKEY" accesskey="n" rel="next">Deleting a key from the key ring.</a>, Previous: <a href="#COPY" accesskey="p" rel="prev">Copying an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Deleting-an-element_002e"></span><h3 class="section">8.6 Deleting an element.</h3>
<span id="index-DELETE-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">DELETE [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Removes the specified element path and all of its children. This may break 
an element with a <code>target</code> attribute (see <a href="#Target-Attribute">The <code>target</code> attribute</a>) that 
refers to this element or any of its children.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="DELETEKEY">
<div class="header">
<p>
Next: <a href="#DUMP" accesskey="n" rel="next">Showing the XML document.</a>, Previous: <a href="#DELETE" accesskey="p" rel="prev">Deleting an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Deleting-a-key-from-the-key-ring_002e"></span><h3 class="section">8.7 Deleting a key from the key ring.</h3>
<span id="index-DELETEKEY-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">DELETEKEY &lt;keyid&gt;
</pre></div>

<p>Deletes the public and secret key associated with key <var>keyid</var> from the 
keyring. The <var>keyid</var> must be one associated with the currently opened 
data file. 
Note that no confirmation occurs. Also note that when the key is deleted, 
the current or other data files using this key will no longer be able to be 
opened.
</p>

<hr>
</div>
<div class="section" id="DUMP">
<div class="header">
<p>
Next: <a href="#GENKEY" accesskey="n" rel="next">Generating a new key.</a>, Previous: <a href="#DELETEKEY" accesskey="p" rel="prev">Deleting a key from the key ring.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Showing-the-XML-document_002e"></span><h3 class="section">8.8 Showing the XML document.</h3>
<span id="index-DUMP-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">DUMP
</pre></div>

<p>Shows the in memory <abbr>XML</abbr> document with indenting. See <a href="#XPATH">Modifying more than one element.</a>, for 
dumping a specific node.
</p>

<hr>
</div>
<div class="section" id="GENKEY">
<div class="header">
<p>
Next: <a href="#GET" accesskey="n" rel="next">Getting the content of an element.</a>, Previous: <a href="#DUMP" accesskey="p" rel="prev">Showing the XML document.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Generating-a-new-key_002e"></span><h3 class="section">8.9 Generating a new key.</h3>
<span id="index-GENKEY-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">GENKEY --subkey-of=fpr | --userid=&quot;str&quot; [--no-expire | --expire=N] [--algo=&quot;str&quot;] [--no-passphrase] [--usage=&quot;default|sign|encrypt&quot;]
</pre></div>

<p>Generates a new key based on option arguments. One of 
<samp>--subkey-of</samp> or <samp>--userid</samp> is 
required. The <samp>--subkey-of</samp> option will generate a subkey for the key 
of the specified fingerprint.
</p>

<hr>
</div>
<div class="section" id="GET">
<div class="header">
<p>
Next: <a href="#GETCONFIG" accesskey="n" rel="next">Obtaining a configuration value.</a>, Previous: <a href="#GENKEY" accesskey="p" rel="prev">Generating a new key.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Getting-the-content-of-an-element_002e"></span><h3 class="section">8.10 Getting the content of an element.</h3>
<span id="index-GET-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">GET [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Retrieves the content of the specified element. The content is returned 
with a data response.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="GETCONFIG">
<div class="header">
<p>
Next: <a href="#GETINFO" accesskey="n" rel="next">Obtaining server and client information.</a>, Previous: <a href="#GET" accesskey="p" rel="prev">Getting the content of an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Obtaining-a-configuration-value_002e"></span><h3 class="section">8.11 Obtaining a configuration value.</h3>
<span id="index-GETCONFIG-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">GETCONFIG [filename] &lt;parameter&gt;
</pre></div>

<p>Returns the value of a <code>pwmd</code> configuration <var>parameter</var> with a 
data response. If no file has been opened then the value for <var>filename</var> 
or the default from the <var>global</var> section will be returned. If a file 
has been opened and no <var>filename</var> is specified, the value previously 
set with the <code>OPTION</code> command (see <a href="#OPTION">Setting various client parameters.</a>) will be returned.
</p>

<hr>
</div>
<div class="section" id="GETINFO">
<div class="header">
<p>
Next: <a href="#HELP" accesskey="n" rel="next">Showing available commands.</a>, Previous: <a href="#GETCONFIG" accesskey="p" rel="prev">Obtaining a configuration value.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Obtaining-server-and-client-information_002e"></span><h3 class="section">8.12 Obtaining server and client information.</h3>
<span id="index-GETINFO-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">GETINFO [--data] [--verbose] CACHE | CLIENTS | PID | USER | LAST_ERROR | VERSION
</pre></div>

<p>Get server and other information. The information is returned via a status 
message (see <a href="#Status-Messages">Status messages and their meanings</a>) unless otherwise noted or <samp>--data</samp> 
is specified.
<br><br>
<var>CACHE</var> returns the number of cached documents.
<br><br>
<var>CLIENTS</var> returns the number of 
connected clients via a status message or a list of connected clients when 
the <samp>--verbose</samp> parameter is used (implies <samp>--data</samp>). A 
verbose line of a client list contains 
space delimited 
fields: the thread ID, client name, opened file (<code>/</code> if none opened), 
IP address if remote, file lock status, whether the current client is self 
or not, client state (see below), 
user ID or TLS fingerprint of the connected client, username if the 
client is a local one else <code>-</code>, and finally the time stamp of when the 
client connected.
<br><br>
Client state <code>0</code> is an unknown client state, state <code>1</code> indicates 
the client has connected but hasn&rsquo;t completed initializing, state <code>2</code> 
indicates that the client is idle, state <code>3</code> means the 
client is in a command and state <code>4</code> means the client is disconnecting. 
<br><br>
<var>PID</var> returns the process ID number of the server via a data response.
<br><br>
<var>VERSION</var> returns the server version number and compile-time features 
via a data response with each being space delimited.
<br><br>
<var>LAST_ERROR</var> returns a detailed description of the last failed command 
via a data response, when available.
<br><br>
<var>USER</var> returns the username or <abbr>TLS</abbr> hash of the connected client 
via a data response.
</p>

<hr>
</div>
<div class="section" id="HELP">
<div class="header">
<p>
Next: <a href="#IMPORT" accesskey="n" rel="next">Creating elements from XML.</a>, Previous: <a href="#GETINFO" accesskey="p" rel="prev">Obtaining server and client information.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Showing-available-commands_002e"></span><h3 class="section">8.13 Showing available commands.</h3>
<span id="index-HELP-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">HELP [--html] [&lt;COMMAND&gt;]
</pre></div>

<p>Show available commands or command specific help text.
<br><br>
The <samp>--html</samp> option will output the help text in HTML format.
</p>

<hr>
</div>
<div class="section" id="IMPORT">
<div class="header">
<p>
Next: <a href="#ISCACHED" accesskey="n" rel="next">Testing cache status.</a>, Previous: <a href="#HELP" accesskey="p" rel="prev">Showing available commands.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Creating-elements-from-XML_002e"></span><h3 class="section">8.14 Creating elements from XML.</h3>
<span id="index-IMPORT-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">IMPORT [--root=element[&lt;TAB&gt;child[..]]]
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
<br><br>
Like the <code>STORE</code> command (see <a href="#STORE">Modifying the content of an element.</a>), but the <var>content</var> 
argument is raw <abbr>XML</abbr> data. The content is created as a child of 
the element path specified with the <samp>--root</samp> option or at the 
document root when not specified. Existing elements of the same name will 
be overwritten.
<br><br>
The content must begin with an <abbr>XML</abbr> element node. See <a href="#Introduction">Overview of <code>pwmd</code></a>, 
for details.
</p>

<hr>
</div>
<div class="section" id="ISCACHED">
<div class="header">
<p>
Next: <a href="#KEYINFO" accesskey="n" rel="next">Showing keys used for the current data file.</a>, Previous: <a href="#IMPORT" accesskey="p" rel="prev">Creating elements from XML.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Testing-cache-status_002e"></span><h3 class="section">8.15 Testing cache status.</h3>
<span id="index-ISCACHED-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">ISCACHED [--lock] [--agent [--sign]] &lt;filename&gt;
</pre></div>

<p>Determines the file cache status of the specified <var>filename</var>. 
The default is to test whether the filename is cached in memory. Passing 
option <samp>--agent</samp> will test the <code>gpg-agent</code> cache for at most 
one cached key used for opening the data file (see <a href="#OPEN">Opening a data file.</a>). To test if 
a signing key is cached, pass <samp>--sign</samp> along with <samp>--agent</samp>. 
Both the <samp>--agent</samp> and <samp>--sign</samp> options require an opened data 
file.
<br><br>
An <em>OK</em> response is returned if the specified <var>filename</var> is found 
in the cache. If not found in the cache but exists on the filesystem 
then <code>GPG_ERR_NO_DATA</code> is returned. Otherwise a filesystem error is 
returned.
<br><br>
The <samp>--lock</samp> option will lock the file mutex of <var>filename</var> when 
the file exists; it does not need to be opened nor cached. The lock will be 
released when the client exits or sends the <code>UNLOCK</code> command 
(see <a href="#UNLOCK">Removing a data file lock.</a>). When this option is passed the current data file is closed.
</p>

<hr>
</div>
<div class="section" id="KEYINFO">
<div class="header">
<p>
Next: <a href="#KILL" accesskey="n" rel="next">Terminating another client.</a>, Previous: <a href="#ISCACHED" accesskey="p" rel="prev">Testing cache status.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Showing-keys-used-for-the-current-data-file_002e"></span><h3 class="section">8.16 Showing keys used for the current data file.</h3>
<span id="index-KEYINFO-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">KEYINFO [--learn]
</pre></div>

<p>Returns a new line separated list of key ID&rsquo;s that the currently opened 
data file has recipients and signers for. If the key is a signing key it 
will be prefixed with an <code>S</code>. If the file is a new one, or has no 
signers in the case of being symmetrically encrypted, the error code 
<code>GPG_ERR_NO_DATA</code> is returned.
<br><br>
When the <samp>--learn</samp> option is passed, keys on a smartcard will be 
imported.
</p>

<hr>
</div>
<div class="section" id="KILL">
<div class="header">
<p>
Next: <a href="#LIST" accesskey="n" rel="next">Showing document elements.</a>, Previous: <a href="#KEYINFO" accesskey="p" rel="prev">Showing keys used for the current data file.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Terminating-another-client_002e"></span><h3 class="section">8.17 Terminating another client.</h3>
<span id="index-KILL-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">KILL &lt;thread_id&gt;
</pre></div>

<p>Terminates the client identified by <var>thread_id</var> and releases any file 
lock or other resources it has held. See <code>GETINFO</code> (see <a href="#GETINFO">Obtaining server and client information.</a>) 
for details about listing connected clients. An <code>invoking_user</code> 
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) may kill any client while others may only kill 
clients of the same <code>UID</code> or <abbr>TLS</abbr> fingerprint.
</p>

<hr>
</div>
<div class="section" id="LIST">
<div class="header">
<p>
Next: <a href="#LISTKEYS" accesskey="n" rel="next">Listing keys in the key ring.</a>, Previous: <a href="#KILL" accesskey="p" rel="prev">Terminating another client.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Showing-document-elements_002e"></span><h3 class="section">8.18 Showing document elements.</h3>
<span id="index-LIST-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">LIST [--inquire] [--recurse] [--sexp] [element[&lt;TAB&gt;child[..]]]
</pre></div>

<p>If no element path is given then a newline separated list of root elements 
is returned with a data response. If given, then children of the specified 
element path are returned.
<br><br>
Each element path 
returned will have zero or more flags appened to it. These flags are 
delimited from the element path by a single space character. A flag itself 
is a single character. Flag <code>P</code> indicates that access to the element 
is denied. Flag <code>+</code> indicates that there are child nodes of 
the current element path. Flag <code>E</code> indicates that an element of the 
element path contained in a <var>target</var> attribute could not be found. Flag 
<code>O</code> indicates that a <var>target</var> attribute recursion limit was reached 
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>). Flag <code>T</code>, followed by a single space character, 
then an element path, is the element path of the <var>target</var> attribute 
contained in the current element.
<br><br>
When a specified element path contains an error either from the final 
element in the path or any previous element, the path is still shown but 
will contain the error flag for the element with the error. Determining 
the actual element which contains the error is up to the client. This can be 
done by traversing the final element up to parent elements that contain the 
same error flag.
<br><br>
The option <samp>--recurse</samp> may be used to list the entire element tree 
for a specified element path or the entire tree for all root elements.
<br><br>
The option <samp>--sexp</samp> outputs the list in an s-expression and also 
appends an elements&rsquo; attributes and attribute values. The syntax is:
</p>
<div class="example">
<pre class="example">(11:list-result
  (4:path N:&lt;path&gt; 5:flags N:&lt;flags&gt;
    (5:attrs N:&lt;name&gt; N:&lt;value&gt; ...)
  )
  ...
)
</pre></div>

<p>When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="LISTKEYS">
<div class="header">
<p>
Next: <a href="#LOCK" accesskey="n" rel="next">Locking the current data file.</a>, Previous: <a href="#LIST" accesskey="p" rel="prev">Showing document elements.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Listing-keys-in-the-key-ring_002e"></span><h3 class="section">8.19 Listing keys in the key ring.</h3>
<span id="index-LISTKEYS-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">LISTKEYS [--secret-only] [pattern[,&lt;pattern&gt;]]
</pre></div>

<p>Returns a new line separated list of key information matching a comma 
separated list of <var>pattern</var>&rsquo;s. When option <samp>--secret-only</samp> is 
specified, only keys matching <var>pattern</var> that also have a secret key 
available will be returned.
</p>

<hr>
</div>
<div class="section" id="LOCK">
<div class="header">
<p>
Next: <a href="#LS" accesskey="n" rel="next">Showing available data files.</a>, Previous: <a href="#LISTKEYS" accesskey="p" rel="prev">Listing keys in the key ring.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Locking-the-current-data-file_002e"></span><h3 class="section">8.20 Locking the current data file.</h3>
<span id="index-LOCK-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">LOCK
</pre></div>

<p>Locks the mutex associated with the opened file. This prevents other clients 
from sending commands to the same opened file until the client 
that sent this command either disconnects or sends the <code>UNLOCK</code> 
command. See <a href="#UNLOCK">Removing a data file lock.</a>.
</p>

<hr>
</div>
<div class="section" id="LS">
<div class="header">
<p>
Next: <a href="#MOVE" accesskey="n" rel="next">Moving an element.</a>, Previous: <a href="#LOCK" accesskey="p" rel="prev">Locking the current data file.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Showing-available-data-files_002e"></span><h3 class="section">8.21 Showing available data files.</h3>
<span id="index-LS-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">LS [--verbose]
</pre></div>

<p>Returns a newline separated list of data files stored in the data directory 
<samp>HOMEDIR/data</samp> (see <a href="#Invoking">Invoking <code>pwmd</code></a>) with a data response. When the 
<var>&ndash;verbose</var> option is passed, the space-separated filesystem inode 
access, modification and change times are appended to the line.
</p>

<hr>
</div>
<div class="section" id="MOVE">
<div class="header">
<p>
Next: <a href="#NOP" accesskey="n" rel="next">Testing the connection.</a>, Previous: <a href="#LS" accesskey="p" rel="prev">Showing available data files.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Moving-an-element_002e"></span><h3 class="section">8.22 Moving an element.</h3>
<span id="index-MOVE-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">MOVE [--inquire] source[&lt;TAB&gt;child[..]] [dest[&lt;TAB&gt;child[..]]]
</pre></div>

<p>Moves the source element path to the destination element path. If the 
destination is not specified then it will be moved to the root node of the 
document. If the destination is specified and exists then it will be 
overwritten; otherwise non-existing elements of the destination element 
path will be created.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="NOP">
<div class="header">
<p>
Next: <a href="#OPEN" accesskey="n" rel="next">Opening a data file.</a>, Previous: <a href="#MOVE" accesskey="p" rel="prev">Moving an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Testing-the-connection_002e"></span><h3 class="section">8.23 Testing the connection.</h3>
<span id="index-NOP-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">NOP
</pre></div>

<p>This command does nothing. It is useful for testing the connection for a 
timeout condition.
</p>

<hr>
</div>
<div class="section" id="OPEN">
<div class="header">
<p>
Next: <a href="#OPTION" accesskey="n" rel="next">Setting various client parameters.</a>, Previous: <a href="#NOP" accesskey="p" rel="prev">Testing the connection.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Opening-a-data-file_002e"></span><h3 class="section">8.24 Opening a data file.</h3>
<span id="index-OPEN-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">OPEN [--lock] &lt;filename&gt;
</pre></div>

<p>Opens <var>filename</var>. When the <var>filename</var> is not found on the 
file-system then a new in-memory document will be created. If the file is 
found, it is looked for in the file cache and when found no passphrase will 
be required to open it. When not cached, <cite>pinentry(1)</cite> will be used to 
retrieve the passphrase for decryption unless <samp>disable-pinentry</samp> 
(see <a href="#OPTION">Setting various client parameters.</a>) was specified in which case <code>pwmd</code> will 
<em>INQUIRE</em> the client for the passphrase. Note than when configuration 
option <samp>strict_open</samp> is enabled and the client is not an 
<samp>invoking_user</samp>, an error will be returned when the data file does 
not exist.
<br><br>
When the <samp>--lock</samp> option is passed then the file mutex will be 
locked as if the <code>LOCK</code> command (see <a href="#LOCK">Locking the current data file.</a>) had been sent after the 
file had been opened.
</p>

<hr>
</div>
<div class="section" id="OPTION">
<div class="header">
<p>
Next: <a href="#PASSWD" accesskey="n" rel="next">Changing the passphrase for a key.</a>, Previous: <a href="#OPEN" accesskey="p" rel="prev">Opening a data file.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Setting-various-client-parameters_002e"></span><h3 class="section">8.25 Setting various client parameters.</h3>
<span id="index-OPTION-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">OPTION &lt;NAME&gt;=[&lt;VALUE&gt;]
</pre></div>

<p>Sets a client option <var>name</var> to <var>value</var>. The value for an option is 
kept for the duration of the connection with the exception of the 
<code>pinentry</code> options which are defaults for all future connections 
(see <a href="#Pinentry">Pinentry configuration</a>). When <var>value</var> is empty the option is unset.
<br><br>
</p><dl compact="compact">
<dt><span>DISABLE-PINENTRY</span></dt>
<dd><p>Disable use of <code>pinentry</code> for passphrase retrieval. When <code>1</code>, a 
server inquire is sent to the client to obtain the passphrase. This option 
may be set as needed before the <code>OPEN</code> (see <a href="#OPEN">Opening a data file.</a>), <code>PASSWD</code> 
(see <a href="#PASSWD">Changing the passphrase for a key.</a>) and <code>SAVE</code> (see <a href="#SAVE">Saving document changes to disk.</a>) commands. Set to <code>0</code> 
to use a <code>pinentry</code>.
<br><br>
</p></dd>
<dt><span>DISPLAY</span></dt>
<dd><p>Set or unset the X11 display to use when prompting for a passphrase.
<br><br>
</p></dd>
<dt><span>TTYNAME</span></dt>
<dd><p>Set the terminal device path to use when prompting for a passphrase.
<br><br>
</p></dd>
<dt><span>TTYTYPE</span></dt>
<dd><p>Set the terminal type for use with <samp>TTYNAME</samp>.
<br><br>
</p></dd>
<dt><span>NAME</span></dt>
<dd><p>Associates the thread ID of the connection with the specified textual 
representation. Useful for debugging log messages. May not contain whitespace.
<br><br>
</p></dd>
<dt><span>LOCK-TIMEOUT</span></dt>
<dd><p>When not <code>0</code>, the duration in tenths of a second to wait for the file 
mutex which has been locked by another thread to be released before returning 
an error. When <code>-1</code> the error will be returned immediately.
<br><br>
</p></dd>
<dt><span>CLIENT-STATE</span></dt>
<dd><p>When set to <code>1</code> then client state status messages for other clients are 
sent to the current client. The default is <code>0</code>.
</p></dd>
</dl>


<hr>
</div>
<div class="section" id="PASSWD">
<div class="header">
<p>
Next: <a href="#REALPATH" accesskey="n" rel="next">Resolving an element.</a>, Previous: <a href="#OPTION" accesskey="p" rel="prev">Setting various client parameters.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Changing-the-passphrase-for-a-key_002e"></span><h3 class="section">8.26 Changing the passphrase for a key.</h3>
<span id="index-PASSWD-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">PASSWD
</pre></div>

<p>Changes the passphrase of the secret key required to open the current 
data file. If the data file is symmetrically encrypted the error 
<code>GPG_ERR_NOT_SUPPORTED</code> is returned. When symmetrically encrypted 
the <code>SAVE</code> command (see <a href="#SAVE">Saving document changes to disk.</a>) should be used instead to prevent 
this command saving any unwanted changes to the <abbr>XML</abbr> document.
<br><br>
Note that when the current data file has been either encrypted or signed 
with a key stored on a smartcard this command will return an error. In this 
case you should instead use <code>gpg --card-edit</code> to change the 
pin of the smartcard or <code>gpg --edit-key</code> to change the passphrase 
of the key used to sign or encrypt the data file.
<br><br>
This command is not available to non-invoking clients 
(see <a href="#Access-Control">Access Control</a>).
</p>

<hr>
</div>
<div class="section" id="REALPATH">
<div class="header">
<p>
Next: <a href="#RENAME" accesskey="n" rel="next">Renaming an element.</a>, Previous: <a href="#PASSWD" accesskey="p" rel="prev">Changing the passphrase for a key.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Resolving-an-element_002e"></span><h3 class="section">8.27 Resolving an element.</h3>
<span id="index-REALPATH-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">REALPATH [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Resolves all <code>target</code> attributes of the specified element path and 
returns the result with a data response. See <a href="#Target-Attribute">The <code>target</code> attribute</a>, for details.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="RENAME">
<div class="header">
<p>
Next: <a href="#RESET" accesskey="n" rel="next">Resetting the client state.</a>, Previous: <a href="#REALPATH" accesskey="p" rel="prev">Resolving an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Renaming-an-element_002e"></span><h3 class="section">8.28 Renaming an element.</h3>
<span id="index-RENAME-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">RENAME [--inquire] element[&lt;TAB&gt;child[..]] &lt;value&gt;
</pre></div>

<p>Renames the specified <var>element</var> to the new <var>value</var>. If an element of 
the same name as the <var>value</var> already exists it will be overwritten.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
</p>

<hr>
</div>
<div class="section" id="RESET">
<div class="header">
<p>
Next: <a href="#SAVE" accesskey="n" rel="next">Saving document changes to disk.</a>, Previous: <a href="#RENAME" accesskey="p" rel="prev">Renaming an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Resetting-the-client-state_002e"></span><h3 class="section">8.29 Resetting the client state.</h3>
<span id="index-RESET-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">RESET
</pre></div>

<p>Closes the currently opened file but keeps any previously set client options 
(see <a href="#OPTION">Setting various client parameters.</a>).
</p>

<hr>
</div>
<div class="section" id="SAVE">
<div class="header">
<p>
Next: <a href="#STORE" accesskey="n" rel="next">Modifying the content of an element.</a>, Previous: <a href="#RESET" accesskey="p" rel="prev">Resetting the client state.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Saving-document-changes-to-disk_002e"></span><h3 class="section">8.30 Saving document changes to disk.</h3>
<span id="index-SAVE-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">SAVE [--sign-keyid=[&lt;fpr&gt;]] [--symmetric | --keyid=&lt;fpr&gt;[,..] | --inquire-keyid]
</pre></div>

<p>Writes the in-memory <abbr>XML</abbr> document to disk. The file written to is the 
file that was opened when using the <code>OPEN</code> command (see <a href="#OPEN">Opening a data file.</a>).
<br><br>
If the file is a new one one of <samp>--symmetric</samp>, <samp>--keyid</samp> or
<samp>--inquire-keyid</samp> is required. When not <samp>--symmetric</samp> the 
option <samp>--sign-keyid</samp> is also required but optional otherwise.
<br><br>
You can encrypt the data file to a recipient other than the one that it 
was originally encrypted with by passing the <samp>--keyid</samp> or 
<samp>--inquire-keyid</samp> option with a comma separated list of 
public encryption key fingerprints as its argument. Use the 
<code>LISTKEYS</code> command (see <a href="#LISTKEYS">Listing keys in the key ring.</a>) to show key information by 
pattern. The <samp>--sign-keyid</samp> option may also be used to sign the data 
file with an alternate key by specifying the fingerprint of a signing key. 
Only one signing key is supported unlike the <samp>--keyid</samp> option. 
A passphrase to decrypt the data file 
will be required when one or more of the original encryption keys or signing 
key are not found in either of these two options&rsquo; arguments or when the data 
file is symmetrically encrypted regardless of the <code>require_save_key</code> 
configuration parameter. The original encryption keys and signing key will be 
used when neither of these options are specified.
<br><br>
The <samp>--keyid</samp> and <samp>--sign-keyid</samp> options are not available 
to non-invoking clients 
(see <a href="#Access-Control">Access Control</a>) when the recipients or signer do not match those 
that were used when the file was <code>OPEN</code>&rsquo;ed.
<br><br>
The <samp>--symmetric</samp> option specifies that a new data file be 
conventionally encrypted. These types of data files do not use a recipient 
public key but may optionally be signed by using the <samp>--sign-keyid</samp> 
option. To remove the signing key from a symmtrically encrypted data file, 
leave the option value empty.
<br><br>
Note that you cannot change encryption schemes once a data file has been 
saved.
</p>

<hr>
</div>
<div class="section" id="STORE">
<div class="header">
<p>
Next: <a href="#UNLOCK" accesskey="n" rel="next">Removing a data file lock.</a>, Previous: <a href="#SAVE" accesskey="p" rel="prev">Saving document changes to disk.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Modifying-the-content-of-an-element_002e"></span><h3 class="section">8.31 Modifying the content of an element.</h3>
<span id="index-STORE-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">STORE [--no-inherit-acl] element[&lt;TAB&gt;child[..]]&lt;TAB&gt;[content]
</pre></div>

<p>This command uses a server <em>INQUIRE</em> to retrieve data from the client.
<br><br>
Creates a new element path or modifies the <var>content</var> of an existing 
element. If only a single element is specified then a new root element is 
created. Otherwise, elements are <tt class="key">TAB</tt> delimited and the content will be 
set to the final <tt class="key">TAB</tt> delimited element. If no <var>content</var> is 
specified after the final <tt class="key">TAB</tt>, then the content of the existing 
element will be removed; or will be empty if creating a new element.
<br><br>
The option <samp>--no-inherit-acl</samp> prevents a newly created element from 
inheriting the value of the parent element <code>_acl</code> attribute. In either 
case, the current user is made the owner of the newly created element(s).
<br><br>
The only restriction of an element name is that it not contain whitespace 
characters. There is no other whitespace between the <tt class="key">TAB</tt> delimited 
elements. It is recommended that the content of an element be base64 encoded 
when it contains control or <tt class="key">TAB</tt> characters to prevent <abbr>XML</abbr> 
parsing and <code>pwmd</code> syntax errors.
</p>

<hr>
</div>
<div class="section" id="UNLOCK">
<div class="header">
<p>
Next: <a href="#XPATH" accesskey="n" rel="next">Modifying more than one element.</a>, Previous: <a href="#STORE" accesskey="p" rel="prev">Modifying the content of an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Removing-a-data-file-lock_002e"></span><h3 class="section">8.32 Removing a data file lock.</h3>
<span id="index-UNLOCK-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">UNLOCK
</pre></div>

<p>Unlocks the file mutex which was locked with the <code>LOCK</code> command or 
a commands&rsquo; <samp>--lock</samp> option (see <a href="#LOCK">Locking the current data file.</a>, see <a href="#OPEN">Opening a data file.</a>, 
see <a href="#ISCACHED">Testing cache status.</a>).
</p>

<hr>
</div>
<div class="section" id="XPATH">
<div class="header">
<p>
Next: <a href="#XPATHATTR" accesskey="n" rel="next">Modifying more than one element&rsquo;s attributes.</a>, Previous: <a href="#UNLOCK" accesskey="p" rel="prev">Removing a data file lock.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Modifying-more-than-one-element_002e"></span><h3 class="section">8.33 Modifying more than one element.</h3>
<span id="index-XPATH-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATH [--inquire] &lt;expression&gt;[&lt;TAB&gt;[value]]
</pre></div>

<p>Evaluates an XPath <var>expression</var>. If no <var>value</var> argument is 
specified it is assumed the expression is a request to return a result. 
Otherwise, the result is set to the <var>value</var> argument and the document is 
updated. If there is no <var>value</var> after the <tt class="key">TAB</tt> character, the value 
is assumed to be empty and the document is updated. For example:
</p><br>
<div class="example">
<pre class="example">XPATH //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would clear the content of all <var>password</var> elements in the data file 
while leaving off the trailing <tt class="key">TAB</tt> would return all <var>password</var> 
elements in <abbr>XML</abbr> format.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
<br><br>
See <a href="https://www.w3schools.com/xml/xpath_intro.asp">https://www.w3schools.com/xml/xpath_intro.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>

<hr>
</div>
<div class="section" id="XPATHATTR">
<div class="header">
<p>
Previous: <a href="#XPATH" accesskey="p" rel="prev">Modifying more than one element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Modifying-more-than-one-element_0027s-attributes_002e"></span><h3 class="section">8.34 Modifying more than one element&rsquo;s attributes.</h3>
<span id="index-XPATHATTR-command"></span>
<p>Syntax:
</p><div class="example">
<pre class="example">XPATHATTR [--inquire] SET|DELETE &lt;name&gt; &lt;expression&gt;[&lt;TAB&gt;[&lt;value&gt;]]
</pre></div>

<p>Like the <code>XPATH</code> command (see <a href="#XPATH">Modifying more than one element.</a>) but operates on element 
attributes and does not return a result. For the <var>SET</var> operation the 
<var>value</var> is optional but the field is required. If not specified then 
the attribute value will be empty. For example:
</p><br>
<div class="example">
<pre class="example">XPATHATTR SET password //element[@_name='password']<span class="key">TAB</span>
</pre></div>
<br>
<p>would create a <var>password</var> attribute for each <var>password</var> element 
found in the document. The attribute value will be empty but still exist.
<br><br>
When the <samp>--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em>INQUIRE</em>.
<br><br>
See <a href="https://www.w3schools.com/xml/xpath_intro.asp">https://www.w3schools.com/xml/xpath_intro.asp</a> for <abbr>XPATH</abbr> 
expression syntax.
</p>


<hr>
</div>
</div>
<div class="chapter" id="Bulk-Commands">
<div class="header">
<p>
Next: <a href="#Status-Messages" accesskey="n" rel="next">Status messages and their meanings</a>, Previous: <a href="#Commands" accesskey="p" rel="prev">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Running-multiple-commands-in-sequence"></span><h2 class="chapter">9 Running multiple commands in sequence</h2>
<p>Multiple commands may be run in sequence by using the <code>BULK</code> command
(see <a href="#BULK">Run a series of commands in sequence.</a>). Using this feature may speed up remote connections since less
socket IO is needed. The <code>BULK</code> command uses an <em>INQUIRE</em> to obtain
an canonical s-expression of commands to be run. The s-expression syntax is as
follows:
</p>
<div class="example">
<pre class="example">(2:id&lt;I&gt;:&lt;id&gt; &lt;P&gt;:&lt;prot&gt;&lt;D&gt;:[&lt;data&gt;] [2:rc&lt;R&gt;:&lt;code&gt;[|&lt;code&gt;...](2:id...) | 2:id...])
</pre></div>

<p>Each token is prefixed with an unsigned integer that specifies the length of
the token, followed by a colon &rsquo;<code>:</code>&rsquo;, followed by the token itself. Pwmd
uses token pairs to create a <em>name=value</em> relationship. Whitespace is
allowed between token pairs. For example, the following is valid:
</p>
<div class="example">
<pre class="example">( 2:id 7:FirstID 4:LIST0: 2:rc 1:0 (2:id6:Second 7:GETINFO7:version))
</pre></div>

<p>The <code>id</code> token begins a new command and requires an <var>&lt;id&gt;</var> token
of length <var>&lt;I&gt;</var> to uniquely identify this command. The next token pair is
the protocol command name, without any command arguments, of length <var>&lt;P&gt;</var>
to run followed by a colon &rsquo;<code>:</code>&rsquo;, followed by the command <var>&lt;prot&gt;</var>
itself, followed by the length <var>&lt;D&gt;</var> of both command arguments and data,
followed by a colon &rsquo;<code>:</code>&rsquo; and finally the <var>&lt;data&gt;</var> itself.  If no
arguments or data are needed for the command, set the length of the data
<var>&lt;D&gt;</var> to <code>0</code> and append the required colon &rsquo;<code>:</code>&rsquo;.
</p>
<p>A new command enclosed in parentheses may be run when the previous command
returns an error code that matches the <var>&lt;code&gt;</var> token of length <var>&lt;R&gt;</var>
by appending <var>rc</var> tokens to the end of the previous commands <var>&lt;data&gt;</var>
token. You may also test another return code for the previous command by
placing the next <var>rc</var> token at the end of the closing parentheses of the
previous return code command.
</p>
<p>Multiple <code>rc</code> <var>code</var>&rsquo;s may be specified for a single command by
separating them with a pipe <code>|</code> character. This lets you specify an
<em>if-this-and-that</em> expression for a commands return code.
</p>
<p>If another command is to be run after the previous and does not specify an
<var>rc</var> token, the return value is ignored for the previous command and the
next command is run.  There is no limit on the number of commands or
sub-commands except for system memory.
</p>
<p>After inquiring the commands to be run, <code>BULK</code> will run each command with
<var>&lt;data&gt;</var> as its argument and store the result code and data of the command
in a <code>bulk-result</code> canonical s-expression of the syntax:
</p>
<div class="example">
<pre class="example">(11:bulk-result2:id&lt;I&gt;:&lt;id&gt;2:rc&lt;R&gt;:&lt;code&gt;&lt;D&gt;:[&lt;data&gt;][2:id...])
</pre></div>

<p>The <code>11:bulk-result</code> token begins the result of all commands. The
<var>&lt;id&gt;</var> token of length <var>&lt;I&gt;</var> is the same that was associated with the
command from the <em>INQUIRE</em>&rsquo;d syntax and is prefixed with <code>2:id</code>. The
return code of the command is prefixed with <code>2:rc</code> followed by the length
<var>&lt;R&gt;</var> of the unsigned integer <var>&lt;code&gt;</var> then the return <var>&lt;code&gt;</var>
itself.  If the command returned any <var>&lt;data&gt;</var>, it is prefixed with a
length <var>&lt;D&gt;</var> and immediately following the return <var>&lt;code&gt;</var>. Otherwise,
<var>&lt;D&gt;</var> will be <code>0</code> and followed by a colon &rsquo;<code>:</code>&rsquo;.
</p>

<hr>
</div>
<div class="chapter" id="Status-Messages">
<div class="header">
<p>
Next: <a href="#Target-Attribute" accesskey="n" rel="next">The <code>target</code> attribute</a>, Previous: <a href="#Bulk-Commands" accesskey="p" rel="prev">Running multiple commands in sequence</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Status-messages-and-their-meanings"></span><h2 class="chapter">10 Status messages and their meanings</h2>
<p>Some commands send status messages to inform the client about certain
operations or as a progress indicator.  Status messages begin with a
<code>KEYWORD</code> followed by a status description for status messages that
require it. What status messages are sent, when, and how often may depend on
configuration settings (see <a href="#Configuration"><code>pwmd</code> configuration file options</a>).
</p>
<table>
<thead><tr><th width="20%">Message</th><th width="25%">Parameters</th><th width="55%">Description</th></tr></thead>
<tr><td width="20%">CACHE
<span id="index-CACHE"></span></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of cached documents. Sent to each client after connecting
(see <a href="#GETINFO">Obtaining server and client information.</a>) and after every cache modification.</td></tr>
<tr><td width="20%">CLIENTS
<span id="index-CLIENTS"></span></td><td width="25%"><code>&lt;integer&gt;</code></td><td width="55%">The number of connected clients (see <a href="#GETINFO">Obtaining server and client information.</a>). Sent to each client
when another client either connects or disconnects.</td></tr>
<tr><td width="20%">DECRYPT
<span id="index-DECRYPT"></span></td><td width="25%"></td><td width="55%">Sent to the current client during a decrypt operation. How often this
status message is sent is determined by the <code>keepalive_interval</code>
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) setting.</td></tr>
<tr><td width="20%">ENCRYPT
<span id="index-ENCRYPT"></span></td><td width="25%"></td><td width="55%">Sent to the current client during an encrypt operation. How often this
status message is sent is determined by the <code>keepalive_interval</code>
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) setting.</td></tr>
<tr><td width="20%">GENKEY
<span id="index-GENKEY"></span></td><td width="25%"><code>[&lt;sigkey_fpr&gt; &lt;pubkey_fpr&gt;]</code></td><td width="55%">Sent to the current client during key generation. How often this
status message is sent is determined by the <code>keepalive_interval</code>
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) setting. The <var>sigkey_fpr</var> and <var>pubkey_fpr</var>
parameters are added when key generation has completed.</td></tr>
<tr><td width="20%">INQUIRE_MAXLEN
<span id="index-INQUIRE_005fMAXLEN"></span></td><td width="25%"><code>&lt;bytes&gt;</code></td><td width="55%">Sent to the client from <code>gpg-agent</code> when inquiring data. This
specifies the maximum number of bytes allowed for the client to send and
should not be exceeded.</td></tr>
<tr><td width="20%">KEEPALIVE
<span id="index-KEEPALIVE"></span></td><td width="25%"></td><td width="55%">Sent to each idle client every <var>keepalive_interval</var>
(see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) seconds.</td></tr>
<tr><td width="20%">LOCKED
<span id="index-LOCKED"></span></td><td width="25%"></td><td width="55%">Sent to the current client when another client is holding the lock for
the mutex associated with a file. How often this status message is sent is
determined by the <code>keepalive_interval</code> (see <a href="#Configuration"><code>pwmd</code> configuration file options</a>) setting.</td></tr>
<tr><td width="20%">NEWFILE
<span id="index-NEWFILE"></span></td><td width="25%"></td><td width="55%">Sent to the current client when the opened (see <a href="#OPEN">Opening a data file.</a>) file does not
exist on the file-system.</td></tr>
<tr><td width="20%">MODIFIED
<span id="index-MODIFIED"></span></td><td width="25%"><code>&lt;client_id&gt;</code></td><td width="55%">Sent to each client with the same opened data file as <var>client_id</var> to
inform them of modifications that were written to disk using the
<code>SAVE</code> command.</td></tr>
<tr><td width="20%">XFER
<span id="index-XFER"></span></td><td width="25%"><code>&lt;sent&gt; &lt;total&gt;</code></td><td width="55%">Sent to the current client when transferring data. It has two space
delimited arguments. The first being the current amount of bytes transferred
and the other being the total bytes to be transferred. Note that since version
<code>3.1.1</code> of <code>pwmd</code> this status message is sent only once and
before the transfer begins with the <var>total</var> argument set to the size of the
data and the <var>sent</var> argument set to <code>0</code> leaving it to the client to
determine the progress of the transfer as the data is received.</td></tr>
<tr><td width="20%">STATE
<span id="index-STATE"></span></td><td width="25%"><code>&lt;client_id&gt; &lt;state&gt;</code></td><td width="55%">Sent to each client to indicate that <var>client_id</var> has changed to
<var>state</var> (see <a href="#GETINFO">Obtaining server and client information.</a> for client states). For a client to receive
another clients state the option <var>CLIENT-STATE</var> must be set.
See <a href="#OPTION">Setting various client parameters.</a> command.</td></tr>
<tr><td width="20%">EXPIRE
<span id="index-EXPIRE"></span></td><td width="25%"><code>&lt;epoch_seconds&gt; &lt;epoch_future&gt;|0</code></td><td width="55%">Sent to the current client when <code>GET</code> (see <a href="#GET">Getting the content of an element.</a>) encounters an
<code>_expire</code> (see <a href="#Other-Attributes">Other special attributes</a>) attribute that is in the past or when
<code>STORE</code> (see <a href="#STORE">Modifying the content of an element.</a>) updates the <code>_expire</code> attribute from the
<code>_age</code> attribute value. The second field will be <code>0</code> when <code>GET</code>
sends this status message.  Otherwise the second field is the time the next
expiry will be.</td></tr>
<tr><td width="20%">PASSPHRASE_HINT
<span id="index-PASSPHRASE_005fHINT"></span></td><td width="25%">&lt;keyid&gt; &lt;userid&gt;</td><td width="55%">Forwarded from <code>GpgME</code>. Contains information that is useful in a
<code>pinentry</code>. Only sent when pinentry is disabled (see <a href="#OPTION">Setting various client parameters.</a>).</td></tr>
<tr><td width="20%">PASSPHRASE_INFO
<span id="index-PASSPHRASE_005fINFO"></span></td><td width="25%">&lt;flags&gt; ...</td><td width="55%">Forwarded from <code>GpgME</code>. Contains information that is useful in a
<code>pinentry</code>. Only sent when pinentry is disabled (see <a href="#OPTION">Setting various client parameters.</a>).</td></tr>
<tr><td width="20%">REHANDSHAKE
<span id="index-REHANDSHAKE"></span></td><td width="25%"></td><td width="55%">Sent to each <acronym>TLS</acronym> client just before performing a cipher renegotiation
after a SIGHUP signal was received.</td></tr>
<tr><td width="20%">BULK
<span id="index-BULK"></span></td><td width="25%"><code>BEGIN|END &lt;command id&gt;</code></td><td width="55%">Sent to the current client before and after the <code>BULK</code> command
(see <a href="#BULK">Run a series of commands in sequence.</a>) runs each command. The <var>&lt;command id&gt;</var> is the same that was
associated with the command in the s-expression syntax.</td></tr>
</table>

<hr>
</div>
<div class="chapter" id="Target-Attribute">
<div class="header">
<p>
Next: <a href="#Other-Attributes" accesskey="n" rel="next">Other special attributes</a>, Previous: <a href="#Status-Messages" accesskey="p" rel="prev">Status messages and their meanings</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="The-target-attribute"></span><h2 class="chapter">11 The <code>target</code> attribute</h2>
<span id="index-target-attribute"></span>
<p>A <em>case sensitive</em> attribute named <code>_target</code> is treated specially
when found in each element of an element path. This attribute, like other
element attributes, is created or modified with the <code>ATTR</code> command
(see <a href="#ATTR">Modifying element attributes.</a>). The value of this attribute is an existing element path
somewhere in the document.  If you are familiar with <acronym>XML</acronym> entities or
maybe the HTML <code>id</code> or <code>_target</code> attributes or a symbolic link
in a file-system, you may find this attribute behaves similar to any of those.
</p>
<p>To create a <code>_target</code> attribute use the following syntax:
</p>
<div class="example">
<pre class="example">ATTR SET _target element[<code>TAB</code>child[..]] element[<code>TAB</code>child[..]]
</pre></div>

<p>Note the single space between the two element paths. The first element path is
where the <code>_target</code> attribute will be created. If the element path does
not exist then it will be created.  This is the only time the <code>ATTR</code>
(see <a href="#ATTR">Modifying element attributes.</a>) command will create elements. The attribute is created in the
final element of the element path.
</p>
<p>The second element path is the destination of where you want the first element
path to resolve to. When an element path is passed as an argument to a
protocol command <code>pwmd</code> looks for a <code>_target</code> attribute when
resolving each element and, if found, &quot;jumps&quot; to the attribute value and
continues resolving any remaining elements a commands element path.
</p>
<p>When an element of a element path is removed that a <code>_target</code> attribute
resolves to then an error will occur when trying to access that element. You
may need to either update the <code>_target</code> attribute value with a new element
path or remove the attribute entirely.
</p>
<p>Clients should be careful of creating <code>_target</code> loops, or targets that
resolve to themselves. See the <var>recursion_depth</var> (see <a href="#Configuration"><code>pwmd</code> configuration file options</a>)
configuration parameter for details.
</p>
<p>The <code>REALPATH</code> command (see <a href="#REALPATH">Resolving an element.</a>) can be used to show the element
path after resolving all <code>_target</code> attributes.
</p>
<p><em>Note that when setting this attribute any children of the element will
be removed.</em>
</p>

<hr>
</div>
<div class="chapter" id="Other-Attributes">
<div class="header">
<p>
Next: <a href="#Key-Expiration" accesskey="n" rel="next">Key Expiration</a>, Previous: <a href="#Target-Attribute" accesskey="p" rel="prev">The <code>target</code> attribute</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Other-special-attributes"></span><h2 class="chapter">12 Other special attributes</h2>
<span id="index-special-attributes"></span>
<p>In addition to the <code>_target</code> attribute (see <a href="#Target-Attribute">The <code>target</code> attribute</a>), there
are a few other attributes that are specially handled by <code>pwmd</code>. The
first is the <code>_ctime</code> attribute which is set to the current time when an
element is created. Next is the <code>_mtime</code> attribute which is created when
an element is created and also updated when an element is modified. Neither of
these attributes may be modified by the client. The <code>_acl</code> attribute
controls access to the element, beit modifying or accessing element content,
or descending into child elements.  See <a href="#Access-Control">Access Control</a> for details. The
<code>_name</code> attribute contains the name of an element.
</p>
<p>The above mentioned attributes are considered reserved attribute names.
Reserved attributes are treated specially when a <code>_target</code> attribute is
found for the current element. The <code>ATTR LIST</code> command will show these
attribute values for the current element and not the attribute values for the
resolved <code>_target</code> element. All other non-reserved attributes for the
resolved <code>_target</code> are appended to the <code>ATTR LIST</code> command output.
Other <code>ATTR</code> commands (see <a href="#ATTR">Modifying element attributes.</a>) behave as usual. You can, for
example, <code>ATTR DELETE</code> a non-reserved attribute for an element that
contains a <code>_target</code> attribute. The resolved target elements&rsquo; attribute
will be removed rather than the element containing the <code>_target</code>
attribute.
</p>
<p>Another specially handled attribute is the <code>_expire</code> attribute. This
attribute value, like the <code>_ctime</code> and <code>_mtime</code> attributes, is a
timestamp. But this timestamp is usually in the future and for use with the
<code>GET</code> (see <a href="#GET">Getting the content of an element.</a>) and <code>STORE</code> (see <a href="#STORE">Modifying the content of an element.</a>) commands. When the
<code>GET</code> command is issued, it checks for an <code>_expire</code> attribute an
compares its&rsquo; value with the current time. If the <code>_expire</code> timestamp is
in the past then a status message is sent (see <a href="#Status-Messages">Status messages and their meanings</a>) to inform
the client that the element content should be updated.  When the content for
an element containing an <code>_expire</code> attribute is set when using the
<code>STORE</code> command, the value of the <code>_age</code> attribute is added to the
current time and the <code>_expire</code> attribute value is updated.  When no
<code>_age</code> attribute is found, no modification is done of the <code>_expire</code>
attribute.
</p>

<hr>
</div>
<div class="chapter" id="Key-Expiration">
<div class="header">
<p>
Next: <a href="#Signals" accesskey="n" rel="next">Recognized signals</a>, Previous: <a href="#Other-Attributes" accesskey="p" rel="prev">Other special attributes</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Key-Expiration-1"></span><h2 class="chapter">13 Key Expiration</h2>
<span id="index-key-expiration"></span>
<p>When a key used for signing a data file has expired there is no indication
until the next <code>SAVE</code> command is sent. The command will fail since one
cannot sign the data file with an expired key. The client will need to either
use a different key for signing by either specifying an existing non-expired
key, generate a new key, or change the expire time of the existing key with
<code>gpg</code>.
</p>
<p>To change the expiration of the currently used signing key with <code>gpg</code>,
use the <code>KEYINFO</code> command (see <a href="#KEYINFO">Showing keys used for the current data file.</a>) to obtain the fingerprint of
the signing key of the current data file, then change the expire time with
<code>gpg</code>:
</p>
<div class="example">
<pre class="example">gpg --homedir ~/.pwmd/.gnupg --edit-key &lt;fingerprint&gt;
</pre></div>

<p>Then use the <code>expire</code> command to set the new key expire date. When
finished, use the <code>save</code> command to save your changes.
</p>

<hr>
</div>
<div class="chapter" id="Signals">
<div class="header">
<p>
Next: <a href="#Index" accesskey="n" rel="next">Index</a>, Previous: <a href="#Key-Expiration" accesskey="p" rel="prev">Key Expiration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Recognized-signals"></span><h2 class="chapter">14 Recognized signals</h2>

<p>Sending the <em>SIGHUP</em> signal to a <code>pwmd</code> process will reload the
configuration file and sending <em>SIGUSR1</em> will clear the entire file
cache.
</p>


<hr>
</div>
<div class="unnumbered" id="Index">
<div class="header">
<p>
Previous: <a href="#Signals" accesskey="p" rel="prev">Recognized signals</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<span id="Index-1"></span><h2 class="unnumbered">Index</h2>
<table><tr><th valign="top">Jump to: &nbsp; </th><td><a class="summary-letter" href="#Index_cp_letter-A"><b>A</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-B"><b>B</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-C"><b>C</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-D"><b>D</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-E"><b>E</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-G"><b>G</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-H"><b>H</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-I"><b>I</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-K"><b>K</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-L"><b>L</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-M"><b>M</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-N"><b>N</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-O"><b>O</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-P"><b>P</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-R"><b>R</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-S"><b>S</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-T"><b>T</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-U"><b>U</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-X"><b>X</b></a>
 &nbsp; 
</td></tr></table>
<table class="index-cp" border="0">
<tr><td></td><th align="left">Index Entry</th><td>&nbsp;</td><th align="left"> Section</th></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-A">A</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-Arguments">Arguments</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Invoking">Invoking</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-ATTR-command">ATTR command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#ATTR">ATTR</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-B">B</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-BULK">BULK</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-BULK-command">BULK command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#BULK">BULK</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-C">C</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-CACHE">CACHE</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-CACHETIMEOUT-command">CACHETIMEOUT command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#CACHETIMEOUT">CACHETIMEOUT</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-CLEARCACHE-command">CLEARCACHE command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#CLEARCACHE">CLEARCACHE</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-CLIENTS">CLIENTS</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-COPY-command">COPY command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#COPY">COPY</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-D">D</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-Data-file-configuration-options">Data file configuration options</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-DECRYPT">DECRYPT</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-DELETE-command">DELETE command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#DELETE">DELETE</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-DELETEKEY-command">DELETEKEY command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#DELETEKEY">DELETEKEY</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-DUMP-command">DUMP command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#DUMP">DUMP</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-E">E</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-ENCRYPT">ENCRYPT</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-EXPIRE">EXPIRE</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-G">G</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-GENKEY">GENKEY</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-GENKEY-command">GENKEY command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#GENKEY">GENKEY</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-GET-command">GET command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#GET">GET</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-GETCONFIG-command">GETCONFIG command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#GETCONFIG">GETCONFIG</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-GETINFO-command">GETINFO command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#GETINFO">GETINFO</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-Getting-help">Getting help</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Invoking">Invoking</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-Global-configuration-options">Global configuration options</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Configuration">Configuration</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-H">H</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-HELP-command">HELP command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#HELP">HELP</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-I">I</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-IMPORT-command">IMPORT command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#IMPORT">IMPORT</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-INQUIRE_005fMAXLEN">INQUIRE_MAXLEN</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-ISCACHED-command">ISCACHED command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#ISCACHED">ISCACHED</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-K">K</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-KEEPALIVE">KEEPALIVE</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-key-expiration">key expiration</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Key-Expiration">Key Expiration</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-KEYINFO-command">KEYINFO command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#KEYINFO">KEYINFO</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-KILL-command">KILL command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#KILL">KILL</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-L">L</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-LIST-command">LIST command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#LIST">LIST</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-LISTKEYS-command">LISTKEYS command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#LISTKEYS">LISTKEYS</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-LOCK-command">LOCK command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#LOCK">LOCK</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-LOCKED">LOCKED</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-LS-command">LS command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#LS">LS</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-M">M</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-MODIFIED">MODIFIED</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-MOVE-command">MOVE command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#MOVE">MOVE</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-N">N</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-NEWFILE">NEWFILE</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-NOP-command">NOP command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#NOP">NOP</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-O">O</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-OPEN-command">OPEN command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#OPEN">OPEN</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-OPTION-command">OPTION command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#OPTION">OPTION</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-Options">Options</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Invoking">Invoking</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-P">P</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-PASSPHRASE_005fHINT">PASSPHRASE_HINT</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-PASSPHRASE_005fINFO">PASSPHRASE_INFO</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-PASSWD-command">PASSWD command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#PASSWD">PASSWD</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-R">R</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-REALPATH-command">REALPATH command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#REALPATH">REALPATH</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-REHANDSHAKE">REHANDSHAKE</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-Reloading-the-configuration-file">Reloading the configuration file</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-RENAME-command">RENAME command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#RENAME">RENAME</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-RESET-command">RESET command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#RESET">RESET</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-Running-pwmd">Running <code>pwmd</code></a>:</td><td>&nbsp;</td><td valign="top"><a href="#Invoking">Invoking</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-S">S</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-SAVE-command">SAVE command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#SAVE">SAVE</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-special-attributes">special attributes</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Other-Attributes">Other Attributes</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-STATE">STATE</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-STORE-command">STORE command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#STORE">STORE</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-T">T</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-target-attribute">target attribute</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Target-Attribute">Target Attribute</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-U">U</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-UNLOCK-command">UNLOCK command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#UNLOCK">UNLOCK</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
<tr><th id="Index_cp_letter-X">X</th><td></td><td></td></tr>
<tr><td></td><td valign="top"><a href="#index-XFER">XFER</a>:</td><td>&nbsp;</td><td valign="top"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-XPATH-command">XPATH command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#XPATH">XPATH</a></td></tr>
<tr><td></td><td valign="top"><a href="#index-XPATHATTR-command">XPATHATTR command</a>:</td><td>&nbsp;</td><td valign="top"><a href="#XPATHATTR">XPATHATTR</a></td></tr>
<tr><td colspan="4"> <hr></td></tr>
</table>
<table><tr><th valign="top">Jump to: &nbsp; </th><td><a class="summary-letter" href="#Index_cp_letter-A"><b>A</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-B"><b>B</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-C"><b>C</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-D"><b>D</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-E"><b>E</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-G"><b>G</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-H"><b>H</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-I"><b>I</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-K"><b>K</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-L"><b>L</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-M"><b>M</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-N"><b>N</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-O"><b>O</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-P"><b>P</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-R"><b>R</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-S"><b>S</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-T"><b>T</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-U"><b>U</b></a>
 &nbsp; 
<a class="summary-letter" href="#Index_cp_letter-X"><b>X</b></a>
 &nbsp; 
</td></tr></table>

</div>
</div>



</body>
</html>