Bump version for development.

[pwmd.git] / doc / pwmd.html

<!DOCTYPE html>
<html>
<!-- Created by GNU Texinfo 7.1.1, https://www.gnu.org/software/texinfo/ -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>pwmd Manual</title>

<meta name="description" content="pwmd Manual">
<meta name="keywords" content="pwmd Manual">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta name="viewport" content="width=device-width,initial-scale=1">

<link href="#Top" rel="start" title="Top">
<link href="#Index" rel="index" title="Index">
<link href="#SEC_Contents" rel="contents" title="Table of Contents">
<link href="dir.html#Top" rel="up" title="(dir)">
<style type="text/css">
<!--
a.copiable-link {visibility: hidden; text-decoration: none; line-height: 0em}
a.summary-letter-printindex {text-decoration: none}
div.example {margin-left: 3.2em}
kbd.key {font-style: normal}
span:hover a.copiable-link {visibility: visible}
td.printindex-index-entry {vertical-align: top}
td.printindex-index-section {vertical-align: top; padding-left: 1em}
th.entries-header-printindex {text-align:left}
th.sections-header-printindex {text-align:left; padding-left: 1em}
ul.toc-numbered-mark {list-style: none}
-->
</style>


</head>

<body lang="en">




<div class="top-level-extent" id="Top">
<div class="nav-panel">
<p>
Up: <a href="dir.html#Top" accesskey="u" rel="up">(dir)</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<a class="top" id="SEC_Top"></a>
 

<div class="element-contents" id="SEC_Contents">
<h2 class="contents-heading">Table of Contents</h2>

<div class="contents">

<ul class="toc-numbered-mark">
  <li><a id="toc-Overview-of-pwmd" href="#Introduction">1 Overview of <code class="command">pwmd</code></a></li>
  <li><a id="toc-Access-Control-1" href="#Access-Control">2 Access Control</a></li>
  <li><a id="toc-Cache-Control-1" href="#Cache-Control">3 Cache Control</a></li>
  <li><a id="toc-Invoking-pwmd" href="#Invoking">4 Invoking <code class="command">pwmd</code></a></li>
  <li><a id="toc-pwmd-configuration-file-options" href="#Configuration">5 <code class="command">pwmd</code> configuration file options</a></li>
  <li><a id="toc-Configuring-remote-connections-over-TLS_002e" href="#TLS">6 Configuring remote connections over TLS.</a></li>
  <li><a id="toc-Pinentry-configuration" href="#Pinentry">7 Pinentry configuration</a></li>
  <li><a id="toc-Protocol-commands-and-their-syntax" href="#Commands">8 Protocol commands and their syntax</a>
  <ul class="toc-numbered-mark">
    <li><a id="toc-Modifying-element-attributes_002e" href="#ATTR">8.1 Modifying element attributes.</a></li>
    <li><a id="toc-Run-a-series-of-commands-in-sequence_002e" href="#BULK">8.2 Run a series of commands in sequence.</a></li>
    <li><a id="toc-Setting-the-cache-timeout_002e" href="#CACHETIMEOUT">8.3 Setting the cache timeout.</a></li>
    <li><a id="toc-Removing-a-cache-entry_002e" href="#CLEARCACHE">8.4 Removing a cache entry.</a></li>
    <li><a id="toc-Copying-an-element_002e" href="#COPY">8.5 Copying an element.</a></li>
    <li><a id="toc-Deleting-an-element_002e" href="#DELETE">8.6 Deleting an element.</a></li>
    <li><a id="toc-Deleting-a-key-from-the-key-ring_002e" href="#DELETEKEY">8.7 Deleting a key from the key ring.</a></li>
    <li><a id="toc-Showing-the-XML-document_002e" href="#DUMP">8.8 Showing the XML document.</a></li>
    <li><a id="toc-Generating-a-new-key_002e" href="#GENKEY">8.9 Generating a new key.</a></li>
    <li><a id="toc-Getting-the-content-of-an-element_002e" href="#GET">8.10 Getting the content of an element.</a></li>
    <li><a id="toc-Obtaining-a-configuration-value_002e" href="#GETCONFIG">8.11 Obtaining a configuration value.</a></li>
    <li><a id="toc-Obtaining-server-and-client-information_002e" href="#GETINFO">8.12 Obtaining server and client information.</a></li>
    <li><a id="toc-Showing-available-commands_002e" href="#HELP">8.13 Showing available commands.</a></li>
    <li><a id="toc-Creating-elements-from-XML_002e" href="#IMPORT">8.14 Creating elements from XML.</a></li>
    <li><a id="toc-Testing-cache-status_002e" href="#ISCACHED">8.15 Testing cache status.</a></li>
    <li><a id="toc-Showing-keys-used-for-the-current-data-file_002e" href="#KEYINFO">8.16 Showing keys used for the current data file.</a></li>
    <li><a id="toc-Terminating-another-client_002e" href="#KILL">8.17 Terminating another client.</a></li>
    <li><a id="toc-Showing-document-elements_002e" href="#LIST">8.18 Showing document elements.</a></li>
    <li><a id="toc-Listing-keys-in-the-key-ring_002e" href="#LISTKEYS">8.19 Listing keys in the key ring.</a></li>
    <li><a id="toc-Locking-the-current-data-file_002e" href="#LOCK">8.20 Locking the current data file.</a></li>
    <li><a id="toc-Showing-available-data-files_002e" href="#LS">8.21 Showing available data files.</a></li>
    <li><a id="toc-Moving-an-element_002e" href="#MOVE">8.22 Moving an element.</a></li>
    <li><a id="toc-Testing-the-connection_002e" href="#NOP">8.23 Testing the connection.</a></li>
    <li><a id="toc-Opening-a-data-file_002e" href="#OPEN">8.24 Opening a data file.</a></li>
    <li><a id="toc-Setting-various-client-parameters_002e" href="#OPTION">8.25 Setting various client parameters.</a></li>
    <li><a id="toc-Changing-the-passphrase-for-a-key_002e" href="#PASSWD">8.26 Changing the passphrase for a key.</a></li>
    <li><a id="toc-Resolving-an-element_002e" href="#REALPATH">8.27 Resolving an element.</a></li>
    <li><a id="toc-Renaming-an-element_002e" href="#RENAME">8.28 Renaming an element.</a></li>
    <li><a id="toc-Resetting-the-client-state_002e" href="#RESET">8.29 Resetting the client state.</a></li>
    <li><a id="toc-Saving-document-changes-to-disk_002e" href="#SAVE">8.30 Saving document changes to disk.</a></li>
    <li><a id="toc-Modifying-the-content-of-an-element_002e" href="#STORE">8.31 Modifying the content of an element.</a></li>
    <li><a id="toc-Removing-a-data-file-lock_002e" href="#UNLOCK">8.32 Removing a data file lock.</a></li>
    <li><a id="toc-Modifying-more-than-one-element_002e" href="#XPATH">8.33 Modifying more than one element.</a></li>
    <li><a id="toc-Modifying-more-than-one-element_0027s-attributes_002e" href="#XPATHATTR">8.34 Modifying more than one element&rsquo;s attributes.</a></li>
  </ul></li>
  <li><a id="toc-Running-multiple-commands-in-sequence" href="#Bulk-Commands">9 Running multiple commands in sequence</a></li>
  <li><a id="toc-Status-messages-and-their-meanings" href="#Status-Messages">10 Status messages and their meanings</a></li>
  <li><a id="toc-The-target-attribute" href="#Target-Attribute">11 The <code class="code">target</code> attribute</a></li>
  <li><a id="toc-Other-special-attributes" href="#Other-Attributes">12 Other special attributes</a></li>
  <li><a id="toc-Key-Expiration-1" href="#Key-Expiration">13 Key Expiration</a></li>
  <li><a id="toc-Recognized-signals" href="#Signals">14 Recognized signals</a></li>
  <li><a id="toc-Index-1" href="#Index" rel="index">Index</a></li>
</ul>
</div>
</div>
<hr>
<div class="chapter-level-extent" id="Introduction">
<div class="nav-panel">
<p>
Next: <a href="#Access-Control" accesskey="n" rel="next">Access Control</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Overview-of-pwmd"><span>1 Overview of <code class="command">pwmd</code><a class="copiable-link" href="#Overview-of-pwmd"> &para;</a></span></h2>






<p><em class="dfn">Password Manager Daemon</em> (or <code class="command">pwmd</code>) is a server that users or
applications connect to and send commands to store and retrieve data that is
stored in an OpenPGP encrypted <abbr class="acronym">XML</abbr> document. It mimics a filesystem
in a lot of ways including per element <abbr class="acronym">ACL</abbr>&rsquo;s, but also has the
advantage of remote connections over <abbr class="acronym">TLS</abbr> and a document cache. The
document cache is needed for a data file encrypted with secret keys stored on
a smartcard and without availability of an <abbr class="acronym">HSM</abbr>.
</p>
<p>The server uses the Assuan protocol and is the same used by
<code class="command">gpg-agent</code>, <code class="command">pinentry</code>, <code class="command">gpgme</code> and
<code class="command">scdaemon</code>. It also uses <cite class="cite">libgpg-error</cite> for error reporting with
<var class="var">GPG_ERR_SOURCE_USER_1</var> being the error source.
</p>

<p>The <abbr class="acronym">XML</abbr> document uses the following <abbr class="acronym">DTD</abbr>:
</p>
<div class="example">
<pre class="example-preformatted">    &lt;?xml version=&quot;1.0&quot;?&gt;
    &lt;!DOCTYPE pwmd [
    &lt;!ELEMENT pwmd (element*)&gt;
    &lt;!ATTLIST element _name CDATA #REQUIRED&gt;
    ]&gt;
</pre></div>

<p>The <code class="code">pwmd</code> element is the document root node while all other elements
of the document have the name <code class="code">element</code> with an attribute <code class="code">_name</code>
whose value uniquely identifies the element at the current element tree depth.
It is done this way to avoid <abbr class="acronym">XML</abbr> parsing errors for commonly used
characters.  A <abbr class="acronym">URL</abbr> for example would be an invalid <abbr class="acronym">XML</abbr>
element since the <abbr class="acronym">URI</abbr> contains a &lsquo;<samp class="samp">:</samp>&rsquo; which is also the
<abbr class="acronym">XML</abbr> namespace separator.
</p>
<p>As mentioned, an element name must be unique for the current element tree
depth. You cannot have two elements containing the same <code class="code">_name</code> attribute
value. <code class="command">pwmd</code> will stop searching for an element of an <em class="emph">element
path</em> at the first match then continue searching for the next element of the
element path beginning at the child node of the matched element.
</p>
<p>An <em class="emph">element path</em> is a <code class="code">TAB</code> delimited character string where each
<code class="code">TAB</code> separates each element in the path.  For example, the element path
<code class="code">a<code class="code">TAB</code>b<code class="code">TAB</code>c</code> has the following <abbr class="acronym">XML</abbr> document
structure:
</p>
<div class="example">
<pre class="example-preformatted">      &lt;pwmd&gt;
            &lt;element _name=&quot;a&quot;&gt;
                &lt;element _name=&quot;b&quot;&gt;
                    &lt;element _name=&quot;c&quot;&gt;
                        [... element value or content ...]
                    &lt;/element&gt;
                &lt;/element&gt;
            &lt;/element&gt;
        &lt;/pwmd&gt;
</pre></div>

<p>The only restriction of an element name is that it contain no whitespace
characters.
</p>
<hr>
</div>
<div class="chapter-level-extent" id="Access-Control">
<div class="nav-panel">
<p>
Next: <a href="#Cache-Control" accesskey="n" rel="next">Cache Control</a>, Previous: <a href="#Introduction" accesskey="p" rel="prev">Overview of <code class="command">pwmd</code></a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Access-Control-1"><span>2 Access Control<a class="copiable-link" href="#Access-Control-1"> &para;</a></span></h2>

<p>Like a filesystem has an <abbr class="acronym">ACL</abbr> to grant or limit access to directories
or files for a specific user or group, <code class="command">pwmd</code> can limit a local user,
group, <abbr class="acronym">TLS</abbr> connection or a command to a specific element path. This
is done by storing an <abbr class="acronym">ACL</abbr> in the element attribute <var class="var">_acl</var>. Its
syntax is similar to the <var class="var">allowed</var> configuration parameter
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) with the exception that a <abbr class="acronym">TLS</abbr> fingerprint
hash is prefixed with a <code class="code">#</code>.
</p>
<p>Access is denied for any user that is not in the <abbr class="acronym">ACL</abbr> of an element
with the exception of an invoking user (see <var class="var">invoking_user</var>). The
connected client must be in the <abbr class="acronym">ACL</abbr> for each element in an element
path otherwise an error is returned.
</p>
<p>The first user listed in the <abbr class="acronym">ACL</abbr> is considered the owner of the
element and must be a username or <abbr class="acronym">TLS</abbr> fingerprint. This determines
which clients may modify an <var class="var">_acl</var> attribute and store content for an
element. An <var class="var">invoking_user</var> may always modify an <abbr class="acronym">ACL</abbr>. As an
example:
</p>
<div class="example">
<pre class="example-preformatted">&lt;element _name=&quot;test&quot; _acl=&quot;username,-@wheel,root,#ABCDEF,/usr/bin/pwmc&quot;&gt;
        &lt;element _name=&quot;child&quot;/&gt;
&lt;/element&gt;
</pre></div>

<p>The user <code class="code">username</code> would be allowed both read and write access to the
<code class="code">test</code> element but not if it is a member of the <code class="code">wheel</code> group
although, the <code class="code">root</code> user, who may be a member of the <code class="code">wheel</code> group,
is allowed read-only access. The SHA-256 <abbr class="acronym">TLS</abbr> fingerprint hash
<code class="code">#ABCDEF</code> is also allowed.  No users other than an <var class="var">invoking_user</var>
are allowed access to the <code class="code">child</code> element. When a command path is found
in the <var class="var">_acl</var> then the local client command name must match one of the
command paths in the <var class="var">_acl</var> unless the client is the owner of the element.
The ability to specify read and write access for each user in an <abbr class="acronym">ACL</abbr>
is a feature planned for a later release.
</p>
<hr>
</div>
<div class="chapter-level-extent" id="Cache-Control">
<div class="nav-panel">
<p>
Next: <a href="#Invoking" accesskey="n" rel="next">Invoking <code class="command">pwmd</code></a>, Previous: <a href="#Access-Control" accesskey="p" rel="prev">Access Control</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Cache-Control-1"><span>3 Cache Control<a class="copiable-link" href="#Cache-Control-1"> &para;</a></span></h2>



<p>While <code class="command">pwmd</code> has its own cache settings for an <abbr class="acronym">XML</abbr> document,
<code class="command">gpg-agent</code> has cache settings for the keys used for crypto operations
of a data file. Specifically the <samp class="option">ignore-cache-for-signing</samp>,
<samp class="option">default-cache-ttl</samp> and <samp class="option">max-cache-ttl</samp> options. These
<code class="command">gpg-agent</code> options may need to be adjusted depending on your usage
needs. For example, the <code class="code">OPEN</code> command may not require a passphrase to
open a data file due to the gpg-agent having a cached key even though the
<code class="code">ISCACHED</code> command returns an error indicating the data file is not
cached; which usually means a passphrase would be required. Keys for symmetric
data files are never kept in the <code class="command">gpg-agent</code> cache regardless of
<code class="command">gpg-agent</code> cache settings.
</p>
<p>A copy-on-write operation is done for commands that modify the document; the
client that invoked the command will work on a copy of the in-memory document.
The first client to <code class="code">SAVE</code> the changes to disk will require other clients
to reopen the data file due to the checksum being updated.
</p>
<hr>
</div>
<div class="chapter-level-extent" id="Invoking">
<div class="nav-panel">
<p>
Next: <a href="#Configuration" accesskey="n" rel="next"><code class="command">pwmd</code> configuration file options</a>, Previous: <a href="#Cache-Control" accesskey="p" rel="prev">Cache Control</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Invoking-pwmd"><span>4 Invoking <code class="command">pwmd</code><a class="copiable-link" href="#Invoking-pwmd"> &para;</a></span></h2>


<p><code class="command">pwmd</code> uses GpgME for encryption, decryption and signing of the
OpenPGP data file. GpgME itself makes use of <code class="command">gpg</code> for these
operations so some configuration of <code class="command">gpg</code> may be needed.  Pwmd spawns
a separate <code class="command">gpg-agent</code> process when <var class="var">gpg_homedir</var>
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) is not set to an instance of an already running
gpg-agent. Any <code class="command">gpg</code> configuration options that you need set should be
put in <var class="var">~/.pwmd/.gnupg/gpg.conf</var> or the <var class="var">gpg.conf</var> file located in
<var class="var">gpg_homedir</var>. The same is true for the <var class="var">gpg-agent.conf</var> file to set
any required <code class="command">gpg-agent</code> options.
</p>
<p>It is recommended to pass the <samp class="option">--allow-preset-passphrase</samp>
option to <code class="command">gpg-agent</code>. Doing so allows <code class="command">pwmd</code>
cache pushing on startup. It is also recommended to pass the
<samp class="option">--allow-loopback-pinentry</samp> to <code class="command">gpg-agent</code> (this is the default
as of gnupg-2.1.15). This option allows a passphrase to be inquired from
<code class="command">pwmd</code> when a <code class="command">pinentry</code> is unavailable to the client
(see <a class="pxref" href="#TLS">Configuring remote connections over TLS.</a>).
</p>
<p>If you would like to use a keypair from your default gnupg keyring located in
~/.gnupg, but would still like to use a separate gpg-agent process (the
default), you would need to first export the public key from the default
keyring then import it into the keyring that pwmd uses. You can do this by
first exporting the public key, then use the <samp class="option">--homedir ~/.pwmd/.gnupg</samp>
option of <code class="command">gpg</code> to import it into the new keyring. For private keys,
you would need to copy the private key associated with the exported public key
to <var class="var">~/.pwmd/.gnupg/private-keys-v1.d</var>. If the private key is stored on
a smartcard you can also use the <code class="code">KEYINFO --learn</code> command
(see <a class="pxref" href="#KEYINFO">Showing keys used for the current data file.</a>).
</p>
<a class="index-entry-id" id="index-Running-pwmd"></a>
<p><code class="command">pwmd</code> is executed as follows: 
</p> 
<div class="example">
<pre class="example-preformatted">pwmd <var class="var">options</var> [ file1 ] [ ... ]
</pre></div>

<p>Non-option arguments are data files to cache upon startup. When the data file
requires a passphrase for decryption a <code class="command">pinentry</code> will prompt either
on the current TTY or from an X11 window when the <code class="env">DISPLAY</code>
environment variable is set. See <a class="xref" href="#Pinentry">Pinentry configuration</a>.
</p>
<a class="index-entry-id" id="index-Options"></a>
<a class="index-entry-id" id="index-Arguments"></a>
<p>The following command line options are supported:
</p>
<a class="index-entry-id" id="index-Getting-help"></a>
<dl class="table">
<dt>&lsquo;<samp class="samp">--debug protocol:level[,protocol:level]</samp>&rsquo;</dt>
<dd><p>Enable debugging output. This option can output sensitive information such as
passphrases and secret keys so care should be taken where the output gets
written to. The <var class="var">protocol</var> is a single character representing the protocol
to log. Use <code class="code">a</code> for <code class="code">libassuan</code> with <var class="var">level</var> being one or more
character flags: <code class="code">i</code> for init, <code class="code">x</code> for context, <code class="code">e</code> for engine,
<code class="code">d</code> for data, <code class="code">s</code> for system IO or <code class="code">c</code> for control.  To debug
<code class="code">gpgme</code> use <code class="code">g</code> as the <var class="var">protocol</var> with <var class="var">level</var> being an
integer from <code class="code">1</code> to <code class="code">9</code>. To enable <abbr class="acronym">TLS</abbr> debugging output
use <code class="code">t</code> as the <var class="var">protocol</var> with <var class="var">level</var> being an integer from
<code class="code">1</code> to <code class="code">9</code>. A value over <code class="code">10</code> will enable all <abbr class="acronym">TLS</abbr>
debugging output with <code class="code">1</code> being the default.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--homedir directory</samp>&rsquo;</dt>
<dd><p>The root directory where pwmd will store its data and temporary files.  The
default is <samp class="file">~/.pwmd</samp>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--rcfile, -f rcfile</samp>&rsquo;</dt>
<dd><p>Specify an alternate configuration file. The default is
<samp class="file">~/.pwmd/config</samp>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--kill</samp>&rsquo;</dt>
<dd><p>Terminate an existing instance of pwmd. The process to terminate is determined
from the <samp class="option">--homedir</samp> and <samp class="option">--rcfile</samp> options.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--import, -I filename|-</samp>&rsquo;</dt>
<dd><p>Imports the <abbr class="acronym">XML</abbr> <var class="var">filename</var>. When <var class="var">filename</var> is <code class="code">-</code> the
<abbr class="acronym">XML</abbr> is read from <code class="code">stdin</code>. The <abbr class="acronym">XML</abbr> file should be in conformance to
the <code class="command">pwmd</code> <abbr class="acronym">DTD</abbr> (see <a class="pxref" href="#Introduction">Overview of <code class="command">pwmd</code></a>). You will be prompted for
a passphrase to encrypt with.  The output is written to the filename specified
with <samp class="option">--outfile</samp>. To make use of the imported data, place the output
file in <samp class="file">~/.pwmd/data</samp>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--output, -o filename|-</samp>&rsquo;</dt>
<dd><p>When importing, write the encrypted data file to <var class="var">filename</var>. When
<var class="var">filename</var> is <code class="code">-</code> output will be written to <code class="code">stdout</code>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--passphrase-file, -k filename&quot;</samp>&rsquo;</dt>
<dd><p>Obtain the passphrase to use when importing from the specified <var class="var">filename</var>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--keyid fingerprint[,fingerprint,&hellip;]</samp>&rsquo;</dt>
<dd><p>Specifies the fingerprint of the encryption key to use as a recipient when
importing. When not specified a new key-pair will be created.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--sign-keyid fingerprint</samp>&rsquo;</dt>
<dd><p>Specifies the fingerprint of the signing key to use for signing of the data
file when importing.  When not specified the signing key of the generated
key-pair or the signing key of the <samp class="option">--keyid</samp> option will be used.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--symmetric, -s</samp>&rsquo;</dt>
<dd><p>Use symmetric or conventional encryption rather than pubic key encryption when
importing.  Signing is still possible by using the <samp class="option">--sign-keyid</samp>
option. By default no signing is done when specifying this option.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--userid string</samp>&rsquo;</dt>
<dd><p>When importing, the user id used to identify the generated key. This should be
in the form <code class="code">First Last &lt;email&gt;</code>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--algo string</samp>&rsquo;</dt>
<dd><p>When importing, the algorithm to use when generating the new key pair. The
default is determined by <code class="command">gpg</code>.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--expire seconds</samp>&rsquo;</dt>
<dd><p>When importing, the time, in seconds since epoch, when the generated key will
expire. Specifying <code class="code">0</code> will never expire the key. The default is three
years.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--no-passphrase</samp>&rsquo;</dt>
<dd><p>When importing, don&rsquo;t require a passphrase for the generated key.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--disable-dump</samp>&rsquo;</dt>
<dd><p>Disable the <code class="code">XPATH</code>, <code class="code">XPATHATTR</code>, <code class="code">LIST</code> and <code class="code">DUMP</code>
protocol commands (see <a class="pxref" href="#Commands">Protocol commands and their syntax</a>). This overrides any
<var class="var">disable_list_and_dump</var> configuration parameter (see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>).
</p>
</dd>
<dt>&lsquo;<samp class="samp">--no-fork, -n</samp>&rsquo;</dt>
<dd><p>Run as a foreground process and do not fork into the background.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--force</samp>&rsquo;</dt>
<dd><p>Ignore cache pushing failures on startup. By default, <code class="command">pwmd</code> will exit
if an error occurred due to an invalid passphrase or other error.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--version</samp>&rsquo;</dt>
<dd><p>Show the version, copyright and compile time features and exit.
</p>
</dd>
<dt>&lsquo;<samp class="samp">--help</samp>&rsquo;</dt>
<dd><p>Print a summary of options.
</p></dd>
</dl>


<hr>
</div>
<div class="chapter-level-extent" id="Configuration">
<div class="nav-panel">
<p>
Next: <a href="#TLS" accesskey="n" rel="next">Configuring remote connections over TLS.</a>, Previous: <a href="#Invoking" accesskey="p" rel="prev">Invoking <code class="command">pwmd</code></a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="pwmd-configuration-file-options"><span>5 <code class="command">pwmd</code> configuration file options<a class="copiable-link" href="#pwmd-configuration-file-options"> &para;</a></span></h2>


<p>If no configuration file is specified with the <code class="command">pwmd</code> <samp class="option">-f</samp>
command line option, <code class="command">pwmd</code> will read <samp class="file">~/.pwmd/config</samp> if it
exists, and if not, will use defaults.  Blank lines and lines beginning with
&lsquo;<samp class="samp">#</samp>&rsquo; are ignored. Some parameters may have data file specific settings by
placing them in a file section. A file section is declared by surrounding the
filename with braces (i.e., &lsquo;<samp class="samp">[filename]</samp>&rsquo;).  Global options may be
specified in the <code class="code">global</code> section (e.g., &lsquo;<samp class="samp">[global]</samp>&rsquo;) and are the
default options for new or unspecified file sections.
</p>
<p>A tilde <code class="code">~</code> will be expanded to the home directory of the user starting
<code class="command">pwmd</code> when contained in a parameter whose value is a filename.
</p>
<a class="index-entry-id" id="index-Reloading-the-configuration-file"></a>
<p>The configuration file can be reloaded by sending the <em class="emph">SIGHUP</em> signal to
a <code class="command">pwmd</code> process. Some security sensitive settings may not be changed
until <code class="command">pwmd</code> is stopped then restarted.
</p>
<a class="index-entry-id" id="index-Global-configuration-options"></a>
<p>The following options are only for use in the <code class="code">[global]</code> section:
</p>
<dl class="table">
<dt><a id="index-socket_005fpath"></a><span>&lsquo;<samp class="samp">socket_path = /path/to/socket</samp>&rsquo;<a class="copiable-link" href="#index-socket_005fpath"> &para;</a></span></dt>
<dd><p>Listen on the specified socket. The default is <samp class="file">~/.pwmd/socket</samp>.
</p>
</dd>
<dt><a id="index-socket_005fperms"></a><span>&lsquo;<samp class="samp">socket_perms = octal_mode</samp>&rsquo;<a class="copiable-link" href="#index-socket_005fperms"> &para;</a></span></dt>
<dd><p>Permissions to set after creating the socket. This will override any
<cite class="cite">umask(2)</cite> setting.
</p>
</dd>
<dt><a id="index-backlog"></a><span>&lsquo;<samp class="samp">backlog = integer</samp>&rsquo;<a class="copiable-link" href="#index-backlog"> &para;</a></span></dt>
<dd><p>The number of connections to queue. When this limit is reached then new
connections will be refused. The default is <code class="code">128</code>.
</p>
</dd>
<dt><a id="index-invoking_005fuser"></a><span>&lsquo;<samp class="samp">invoking_user = [-!]user,[-!]@group,[-!]#SHA-256,&hellip;</samp>&rsquo;<a class="copiable-link" href="#index-invoking_005fuser"> &para;</a></span></dt>
<dd><p>This parameter is not to be confused with setuid or setguid upon startup. It&rsquo;s
syntax is the same as the <code class="code">allowed</code> parameter except that it is a list of
local usernames, group names and <abbr class="acronym">TLS</abbr> fingerprint hashes that may use the
<code class="command">XPATH</code>, <code class="command">XPATHATTR</code> and <code class="command">DUMP</code> commands (except when
disabled with the <code class="code">disable_list_and_dump</code> option) and also who may modify
elements that have no <code class="code">_acl</code> attribute or is not listed in an
<code class="code">_acl</code>. It is similar to the system administrator root account but for a
data file and element paths (see <a class="pxref" href="#Access-Control">Access Control</a>). The default is specified
at compile-time and also by default is the user <code class="code">nobody</code>.
</p>
</dd>
<dt><a id="index-invoking_005ffile"></a><span>&lsquo;<samp class="samp">invoking_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-invoking_005ffile"> &para;</a></span></dt>
<dd><p>A file containing one entry per line. An entry has the same syntax as the
<code class="code">invoking_user</code> parameter. When both this parameter and the
<code class="code">invoking_user</code> parameter are specified then the <code class="code">invoking_user</code>
parameter will behave as if the <code class="code">invoking_file</code> entries have been
appended to the <code class="code">invoking_user</code> parameter value.
</p>
</dd>
<dt><a id="index-strict_005fopen"></a><span>&lsquo;<samp class="samp">strict_open = boolean</samp>&rsquo;<a class="copiable-link" href="#index-strict_005fopen"> &para;</a></span></dt>
<dd><p>When <code class="code">true</code>, disallow creation of a new data file when the current client
is not an <code class="code">invoking_user</code>. The default is <code class="code">false</code>.
</p>
</dd>
<dt><a id="index-strict_005fkill"></a><span>&lsquo;<samp class="samp">strict_kill = boolean</samp>&rsquo;<a class="copiable-link" href="#index-strict_005fkill"> &para;</a></span></dt>
<dd><p>When <code class="code">false</code>, the <code class="code">KILL</code> command (see <a class="pxref" href="#KILL">Terminating another client.</a>) will allow killing
another client that is not of the same <code class="code">UID</code> or <abbr class="acronym">TLS</abbr> fingerprint of
the current client and when not an <code class="code">invoking_user</code>. The default us
<code class="code">false</code>.
</p>
</dd>
<dt><a id="index-allowed"></a><span>&lsquo;<samp class="samp">allowed = [-!]user,[-!]@group,[+,][-!]#SHA-256,[-!]/path/to/exec[&hellip;]</samp>&rsquo;<a class="copiable-link" href="#index-allowed"> &para;</a></span></dt>
<dd><p>A comma separated list of local user names, group names or <abbr class="acronym">TLS</abbr>
fingerprint SHA-256 hashes (in the case of a remote client) which are
allowed to connect.  Groups should be prefixed with a &lsquo;<samp class="samp">@</samp>&rsquo;. When not
specified only the user who started <code class="command">pwmd</code> may connect. An entry in
the list may be prefixed with a <code class="code">-</code> or <code class="code">!</code> to prevent access. The
order of the list is important since a user may be a member of multiple
groups, for example.
</p>
<p>Connections from local clients may also be limited by command name. A command
name is the full path to the execuatble on the filesystem. The command check
is done after all other user and group name checks. When no command is
specified all commands are allowed. This feature is ignored when the
connecting client is not of the same <abbr class="acronym">UID</abbr> as the user that invoked
<code class="command">pwmd</code>.
</p>
<p>This parameter may also be specified in a filename section to allow or deny a
client to <code class="code">OPEN</code> (see <a class="pxref" href="#OPEN">Opening a data file.</a>) a data file. It also affects the cache
commands <code class="code">CLEARCACHE</code> (see <a class="pxref" href="#CLEARCACHE">Removing a cache entry.</a>) and <code class="code">CACHETIMEOUT</code>
(see <a class="pxref" href="#CACHETIMEOUT">Setting the cache timeout.</a>). When not specified in a file section, any client
allowed to connect may also open any filename provided they can decrypt it.
Note that when specified in a file section that any <var class="var">allowed</var> parameter in
the <code class="code">global</code> seciton is not considered.
</p>
<p>The following example would deny all users in group <code class="code">primary</code> but
allow <code class="code">username</code> who may be a member of <code class="code">primary</code>. It will also
allow any <abbr class="acronym">TLS</abbr> client except for the client with <abbr class="acronym">TLS</abbr>
fingerprint hash <code class="code">#ABCDEF</code>. For local connections, the connecting client
must be using the /usr/bin/pwmc program:
</p>
<div class="example">
<pre class="example-preformatted">allowed=-@primary,username,+,!#ABCDEF,/usr/bin/pwmc
</pre></div>

</dd>
<dt><a id="index-allowed_005ffile"></a><span>&lsquo;<samp class="samp">allowed_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-allowed_005ffile"> &para;</a></span></dt>
<dd><p>A file containing one entry per line. An entry has the same syntax as the
<code class="code">allowed</code> parameter except that a line beginning with a semicolon is
ignored. When both this parameter and the <code class="code">allowed</code> parameter are
specified then the <code class="code">allowed_file</code> entries will be appended to the
<code class="code">allowed</code> parameter value.
</p>
</dd>
<dt><a id="index-encrypt_005fto"></a><span>&lsquo;<samp class="samp">encrypt_to = boolean</samp>&rsquo;<a class="copiable-link" href="#index-encrypt_005fto"> &para;</a></span></dt>
<dd><p>When <code class="code">true</code> and <code class="command">SAVE</code>&rsquo;ing a data file, allow <code class="command">gpg</code> to
append it&rsquo;s configured key to the list of recipients. The default is
<code class="code">false</code> meaning that only keys specified with <code class="command">SAVE</code>
<samp class="option">--keyid</samp> are recipients.
</p>
</dd>
<dt><a id="index-always_005ftrust"></a><span>&lsquo;<samp class="samp">always_trust = boolean</samp>&rsquo;<a class="copiable-link" href="#index-always_005ftrust"> &para;</a></span></dt>
<dd><p>When <code class="code">true</code>, allow encrypting to untrusted recipients or public
encryption keys. If you receive an error when <code class="command">SAVE</code>&rsquo;ing stating that
the public key is unusable, either enable this option or edit the keys&rsquo; trust
value:
</p><div class="example">
<pre class="example-preformatted">gpg --homedir ~/.pwmd/.gnupg --edit-key &lt;fingerprint&gt;
</pre></div>
<p>The default is <code class="code">false</code>.
</p>
</dd>
<dt><a id="index-gpg_005fhomedir"></a><span>&lsquo;<samp class="samp">gpg_homedir = path</samp>&rsquo;<a class="copiable-link" href="#index-gpg_005fhomedir"> &para;</a></span></dt>
<dd><p>The location where <code class="command">gpg</code> will store its public and private keys and
configuration. The default is <samp class="file">HOMEDIR/.gnupg</samp> where <var class="var">HOMEDIR</var> is the
default (<samp class="file">~/.pwmd</samp>) or the value specified on the command line with the
<samp class="option">--homedir</samp> command line option (see <a class="pxref" href="#Invoking">Invoking <code class="command">pwmd</code></a>). If you want to use
your standard <code class="command">gpg</code> keyring then set this to <samp class="file">~/.gnupg</samp>. Note
that a new instance of <code class="command">gpg-agent</code> will be started when <em class="emph">not</em>
using the standard keyring and that any configuration options for
<code class="command">gpg-agent</code> will need to placed in
<samp class="file">HOMEDIR/.gnupg/gpg-agent.conf</samp>.
</p>
</dd>
<dt><a id="index-disable_005fmlockall"></a><span>&lsquo;<samp class="samp">disable_mlockall = boolean</samp>&rsquo;<a class="copiable-link" href="#index-disable_005fmlockall"> &para;</a></span></dt>
<dd><p>When set to <code class="code">false</code>, <cite class="cite">mlockall(2)</cite> will be called on startup.  This
will use more physical memory but may also be more secure since no swapping to
disk will occur. The default is <var class="var">true</var>. If possible, use an encrypted swap
file or partition and leave this set to <var class="var">true</var>.
</p>
</dd>
<dt><a id="index-log_005fpath"></a><span>&lsquo;<samp class="samp">log_path = /path/to/logfile</samp>&rsquo;<a class="copiable-link" href="#index-log_005fpath"> &para;</a></span></dt>
<dd><p>Logs informational messages to the specified file. The default is
<samp class="file">~/.pwmd/log</samp>.
</p>
</dd>
<dt><a id="index-enable_005flogging"></a><span>&lsquo;<samp class="samp">enable_logging = boolean</samp>&rsquo;<a class="copiable-link" href="#index-enable_005flogging"> &para;</a></span></dt>
<dd><p>Enable or disable logging to <var class="var">log_path</var>. The default is <code class="code">false</code>.
</p>
</dd>
<dt><a id="index-log_005fkeepopen"></a><span>&lsquo;<samp class="samp">log_keepopen = boolean</samp>&rsquo;<a class="copiable-link" href="#index-log_005fkeepopen"> &para;</a></span></dt>
<dd><p>When set to <code class="code">false</code>, the log file specified with <var class="var">log_path</var> will be
closed after writing each line. The default is <code class="code">true</code>.
</p>
</dd>
<dt><a id="index-syslog"></a><span>&lsquo;<samp class="samp">syslog = boolean</samp>&rsquo;<a class="copiable-link" href="#index-syslog"> &para;</a></span></dt>
<dd><p>Enable logging to <cite class="cite">syslog(8)</cite> with facility <em class="emph">LOG_DAEMON</em> and priority
<em class="emph">LOG_INFO</em>. The default is <code class="code">false</code>.
</p>
</dd>
<dt><a id="index-log_005flevel"></a><span>&lsquo;<samp class="samp">log_level = level</samp>&rsquo;<a class="copiable-link" href="#index-log_005flevel"> &para;</a></span></dt>
<dd><p>When <code class="code">0</code>, only connections and errors are logged. When <code class="code">1</code>, data
file recipients and signers are logged during <code class="code">OPEN</code> (see <a class="pxref" href="#OPEN">Opening a data file.</a>) and
<code class="code">SAVE</code> (see <a class="pxref" href="#SAVE">Saving document changes to disk.</a>). When <code class="code">2</code>, client commands are also logged.
The default is <code class="code">0</code>.
</p>
</dd>
<dt><a id="index-kill_005fscd"></a><span>&lsquo;<samp class="samp">kill_scd = boolean</samp>&rsquo;<a class="copiable-link" href="#index-kill_005fscd"> &para;</a></span></dt>
<dd><p>Attempt to kill <code class="command">scdaemon</code> after a client disconnects.  The default is
<code class="code">false</code>.
</p>
</dd>
<dt><a id="index-disable_005flist_005fand_005fdump"></a><span>&lsquo;<samp class="samp">disable_list_and_dump = boolean</samp>&rsquo;<a class="copiable-link" href="#index-disable_005flist_005fand_005fdump"> &para;</a></span></dt>
<dd><p>When <code class="code">true</code> the <code class="code">XPATH</code>, <code class="code">XPATHATTR</code>, <code class="code">LIST</code> and
<code class="code">DUMP</code> protocol commands (see <a class="pxref" href="#Commands">Protocol commands and their syntax</a>) will be disabled.
</p>
</dd>
<dt><a id="index-cache_005fpush"></a><span>&lsquo;<samp class="samp">cache_push = file1,file2</samp>&rsquo;<a class="copiable-link" href="#index-cache_005fpush"> &para;</a></span></dt>
<dd><p>A comma separated list of filenames to be cached upon startup. <code class="command">pwmd</code>
will prompt for the passphrase for each file unless specified with
<var class="var">passphrase_file</var> parameter in a matching file section.
</p>
</dd>
<dt><a id="index-priority"></a><span>&lsquo;<samp class="samp">priority = integer</samp>&rsquo;<a class="copiable-link" href="#index-priority"> &para;</a></span></dt>
<dd><p>The priority or niceness of the server. The default is inherited from the
parent process.
</p>
</dd>
<dt><a id="index-lock_005ftimeout"></a><span>&lsquo;<samp class="samp">lock_timeout = integer</samp>&rsquo;<a class="copiable-link" href="#index-lock_005ftimeout"> &para;</a></span></dt>
<dd><p>The default timeout in tenths of a second before giving up while waiting for a
file lock and returning an error. The default is <code class="code">50</code>.
</p>
</dd>
</dl>

<a class="index-entry-id" id="index-Data-file-configuration-options"></a>
<p>The following options are defaults for new files when specified in the
&lsquo;<samp class="samp">global</samp>&rsquo; section. When placed in a data file section they are options
specific to that data file only.
</p>
<dl class="table">
<dt><a id="index-require_005fsave_005fkey"></a><span>&lsquo;<samp class="samp">require_save_key = boolean</samp>&rsquo;<a class="copiable-link" href="#index-require_005fsave_005fkey"> &para;</a></span></dt>
<dd><p>Require the passphrase needed for signing before writing changes of the
document to disk regardless of the key cache status. The default is
<code class="code">true</code>. This option compliments <code class="command">gpg-agent</code> option
<samp class="option">--ignore-cache-for-signing</samp> and is used as a fail-safe.
</p>
</dd>
<dt><a id="index-backup"></a><span>&lsquo;<samp class="samp">backup = boolean</samp>&rsquo;<a class="copiable-link" href="#index-backup"> &para;</a></span></dt>
<dd><p>Whether to create a backup of the data file when saving. The backup filename
has the <samp class="file">.backup</samp> extension appended to the opened file. The default is
<code class="code">true</code>. 
</p>
</dd>
<dt><a id="index-cache_005ftimeout"></a><span>&lsquo;<samp class="samp">cache_timeout = seconds</samp>&rsquo;<a class="copiable-link" href="#index-cache_005ftimeout"> &para;</a></span></dt>
<dd><p>The number of seconds to keep the cache entry for this file. If <code class="code">-1</code>, the
cache entry is kept forever. If <code class="code">0</code>, each time an encrypted file is
<code class="code">OPEN</code>ed (see <a class="pxref" href="#OPEN">Opening a data file.</a>) a passphrase will be required. The default
is <code class="code">600</code> or 10 minutes.
</p>
</dd>
<dt><a id="index-passphrase_005ffile"></a><span>&lsquo;<samp class="samp">passphrase_file = /path/to/filename</samp>&rsquo;<a class="copiable-link" href="#index-passphrase_005ffile"> &para;</a></span></dt>
<dd><p>Obtain the passphrase to open the data file from <var class="var">filename</var>. If specified
in the &lsquo;<samp class="samp">global</samp>&rsquo; section then the <var class="var">passphrase_file</var> is a default for
all data files. Note that if a client changes the passphrase for this data
file then the <var class="var">passphrase_file</var> will need to be updated with the new
passphrase.
</p>
</dd>
<dt><a id="index-recursion_005fdepth"></a><span>&lsquo;<samp class="samp">recursion_depth = integer</samp>&rsquo;<a class="copiable-link" href="#index-recursion_005fdepth"> &para;</a></span></dt>
<dd><p>The maximum number of times to resolve a <code class="code">_target</code> attribute for an
element in an element path (see <a class="pxref" href="#Target-Attribute">The <code class="code">target</code> attribute</a>). An error is returned
when this value is exceeded.  The default is <code class="code">100</code> but can be disabled by
setting to <code class="code">0</code> (<em class="emph">not recommended</em>).
</p>
</dd>
<dt>&lsquo;<samp class="samp">allowed = [-]user,[-]@group,[!]#TLSFINGERPRINT,&hellip;</samp>&rsquo;</dt>
<dd><p>Same parameter value as the <code class="code">allowed</code> parameter mentioned above in
the &lsquo;<samp class="samp">[global]</samp>&rsquo; section but grants or denies a client from opening a
specific data file. The default is to allow any client that is allowed to
connect.
</p>
</dd>
</dl>

<hr>
</div>
<div class="chapter-level-extent" id="TLS">
<div class="nav-panel">
<p>
Next: <a href="#Pinentry" accesskey="n" rel="next">Pinentry configuration</a>, Previous: <a href="#Configuration" accesskey="p" rel="prev"><code class="command">pwmd</code> configuration file options</a>, Up: <a href="#Configuration" accesskey="u" rel="up"><code class="command">pwmd</code> configuration file options</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Configuring-remote-connections-over-TLS_002e"><span>6 Configuring remote connections over TLS.<a class="copiable-link" href="#Configuring-remote-connections-over-TLS_002e"> &para;</a></span></h2>
<p>In addition to connecting to <code class="command">pwmd</code> via a Unix Domain Socket, remote
connections can also be made to <code class="command">pwmd</code> over <abbr class="acronym">TLS</abbr>.
Authentication is done by using X.509 client certificates that are signed with
the same Certificate Authority (CA) as the server certificate.
</p>
<p>The CA certificate is expected to be found in
<samp class="file">~/.pwmd/ca-cert.pem</samp> while the <code class="command">pwmd</code> server certificate and key
file should be put in <samp class="file">~/.pwmd/server-cert.pem</samp> and
<samp class="file">~/.pwmd/server-key.pem</samp>, respectively.
</p>
<p>See the documentation of <code class="command">certtool</code> or <code class="command">openssl</code> for details
about creating self-signed certificates.
</p>
<p>The following <abbr class="acronym">TLS</abbr> configuration options are available:
</p>
<dl class="table">
<dt><a id="index-enable_005ftcp"></a><span>&lsquo;<samp class="samp">enable_tcp = boolean</samp>&rsquo;<a class="copiable-link" href="#index-enable_005ftcp"> &para;</a></span></dt>
<dd><p>Whether to enable <abbr class="acronym">TCP</abbr>/<abbr class="acronym">TLS</abbr> server support. If enabled, both <abbr class="acronym">TCP</abbr> and the local
unix domain socket will listen for connections. The default is
<code class="code">false</code>.
</p>
</dd>
<dt><a id="index-tcp_005fport"></a><span>&lsquo;<samp class="samp">tcp_port = integer</samp>&rsquo;<a class="copiable-link" href="#index-tcp_005fport"> &para;</a></span></dt>
<dd><p>The <abbr class="acronym">TCP</abbr> port to listen on when <var class="var">enable_tcp</var> is <code class="code">true</code>. The default is
<code class="code">6466</code>.
</p>
</dd>
<dt><a id="index-tcp_005fbind"></a><span>&lsquo;<samp class="samp">tcp_bind = string</samp>&rsquo;<a class="copiable-link" href="#index-tcp_005fbind"> &para;</a></span></dt>
<dd><p>The internet protocol to listen with. Must be one of <code class="code">ipv4</code>, <code class="code">ipv6</code>
or <code class="code">any</code> to listen for both IPv4 and IPv6 connections. The default is
<code class="code">any</code>.
</p>
</dd>
<dt><a id="index-tcp_005finterface"></a><span>&lsquo;<samp class="samp">tcp_interface = string</samp>&rsquo;<a class="copiable-link" href="#index-tcp_005finterface"> &para;</a></span></dt>
<dd><p>Only useful if running as root.
</p>
</dd>
<dt><a id="index-tls_005ftimeout"></a><span>&lsquo;<samp class="samp">tls_timeout = seconds</samp>&rsquo;<a class="copiable-link" href="#index-tls_005ftimeout"> &para;</a></span></dt>
<dd><p>The number of seconds to wait for a read() or write() call on a
<abbr class="acronym">TLS</abbr> client file descriptor to complete before returning an
error. The default is <var class="var">300</var>.
</p>
</dd>
<dt><a id="index-keepalive_005finterval"></a><span>&lsquo;<samp class="samp">keepalive_interval = seconds</samp>&rsquo;<a class="copiable-link" href="#index-keepalive_005finterval"> &para;</a></span></dt>
<dd><p>Send a keepalive status message to an idle remote client.  An idle
client is one that is not in a command. The purpose of this status
message is to disconnect a hung remote client and release any file mutex
locks so another client may open the same data file. The default is <code class="code">60</code>.
</p>
</dd>
<dt><a id="index-tcp_005frequire_005fkey"></a><span>&lsquo;<samp class="samp">tcp_require_key = boolean</samp>&rsquo;<a class="copiable-link" href="#index-tcp_005frequire_005fkey"> &para;</a></span></dt>
<dd><p>When <code class="code">true</code>, require the remote client to provide the passphrase to open
a data file even if the file is cached.  This option is a default for all
files when specified in the &lsquo;<samp class="samp">[global]</samp>&rsquo; section. The default is
<code class="code">false</code>.
</p>
</dd>
<dt><a id="index-tls_005fcipher_005fsuite"></a><span>&lsquo;<samp class="samp">tls_cipher_suite = string</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fcipher_005fsuite"> &para;</a></span></dt>
<dd><p>The GnuTLS cipher suite and protocol to use. See the GnuTLS documentation for
information about the format of this string. The default is
<code class="code">SECURE256:SECURE192:SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-AES-128-CBC:-AES-256-CBC</code>.
</p>
</dd>
<dt><a id="index-tls_005fdh_005fparams_005ffile"></a><span>&lsquo;<samp class="samp">tls_dh_params_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fdh_005fparams_005ffile"> &para;</a></span></dt>
<dd><p>The PEM encoded filename containing DH parameters. If not specified
then DH algorithms will not be available to the client. See the
<code class="command">openssl dhparam</code> or <code class="command">certtool</code> manual pages for details about
generating this file.
</p>
<p>Note that SIGHUP will not reload this file once <abbr class="acronym">TLS</abbr> support has been enabled.
You will need to restart <code class="command">pwmd</code> for changes to take effect.
</p>
</dd>
<dt><a id="index-tls_005fuse_005fcrl"></a><span>&lsquo;<samp class="samp">tls_use_crl = boolean</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fuse_005fcrl"> &para;</a></span></dt>
<dd><p>When <code class="code">true</code>, enable the use of <samp class="option">tls_crl_file</samp>. The default is
<code class="code">false</code>.
</p>
</dd>
<dt><a id="index-tls_005fcrl_005ffile"></a><span>&lsquo;<samp class="samp">tls_crl_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fcrl_005ffile"> &para;</a></span></dt>
<dd><p>This file is an X.509 Certificate Revocation List (<abbr class="acronym">CRL</abbr>) and can be
used to deny clients by adding client certificates to it. <code class="command">pwmd</code> will
need to be restarted to recognize any changes to this file.  When not
specified the default of <samp class="file">~/.pwmd/crl.pem</samp> will be used when
<samp class="option">tls_use_crl</samp> is <code class="code">true</code>.
</p>
</dd>
<dt><a id="index-tls_005fca_005ffile"></a><span>&lsquo;<samp class="samp">tls_ca_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fca_005ffile"> &para;</a></span></dt>
<dd><p>The filename of the <abbr class="acronym">CA</abbr> certificate to use. When not specified the
default of <samp class="file">~/.pwmd/ca-cert.pem</samp> will be used.
</p>
</dd>
<dt><a id="index-tls_005fserver_005fcert_005ffile"></a><span>&lsquo;<samp class="samp">tls_server_cert_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fserver_005fcert_005ffile"> &para;</a></span></dt>
<dd><p>The filename of the server certificate to use. When not specified the default
of <samp class="file">~/.pwmd/server-cert.pem</samp> will be used.
</p>
</dd>
<dt><a id="index-tls_005fserver_005fkey_005ffile"></a><span>&lsquo;<samp class="samp">tls_server_key_file = filename</samp>&rsquo;<a class="copiable-link" href="#index-tls_005fserver_005fkey_005ffile"> &para;</a></span></dt>
<dd><p>The key filename of the server certificate to use. When not specified the
default of <samp class="file">~/.pwmd/server-key.pem</samp> will be used.
</p>
</dd>
</dl>

<hr>
</div>
<div class="chapter-level-extent" id="Pinentry">
<div class="nav-panel">
<p>
Next: <a href="#Commands" accesskey="n" rel="next">Protocol commands and their syntax</a>, Previous: <a href="#TLS" accesskey="p" rel="prev">Configuring remote connections over TLS.</a>, Up: <a href="#Configuration" accesskey="u" rel="up"><code class="command">pwmd</code> configuration file options</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Pinentry-configuration"><span>7 Pinentry configuration<a class="copiable-link" href="#Pinentry-configuration"> &para;</a></span></h2>

<p>The <code class="command">pinentry</code> program is used to prompt the user for passphrase
input or as a confirmation dialog; it needs to know where to prompt for
the input; from a terminal or an X11 display.
</p>
<p>It is the responsibility of the client to tell <code class="command">pinentry</code> about the
terminal or X11 display before requiring the input. This is done with the
<code class="command">OPTION</code> command (see <a class="pxref" href="#OPTION">Setting various client parameters.</a>) to either set or unset needed
<code class="command">pwmd</code> environment variables and by using the
<code class="command">gpg-connect-agent</code> program. Please read it&rsquo;s documentation about the
<em class="emph">UPDATESTARTUPTTY</em> command.
</p>
<hr>
</div>
<div class="chapter-level-extent" id="Commands">
<div class="nav-panel">
<p>
Next: <a href="#Bulk-Commands" accesskey="n" rel="next">Running multiple commands in sequence</a>, Previous: <a href="#Pinentry" accesskey="p" rel="prev">Pinentry configuration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Protocol-commands-and-their-syntax"><span>8 Protocol commands and their syntax<a class="copiable-link" href="#Protocol-commands-and-their-syntax"> &para;</a></span></h2>
<ul class="mini-toc">
<li><a href="#ATTR" accesskey="1">Modifying element attributes.</a></li>
<li><a href="#BULK" accesskey="2">Run a series of commands in sequence.</a></li>
<li><a href="#CACHETIMEOUT" accesskey="3">Setting the cache timeout.</a></li>
<li><a href="#CLEARCACHE" accesskey="4">Removing a cache entry.</a></li>
<li><a href="#COPY" accesskey="5">Copying an element.</a></li>
<li><a href="#DELETE" accesskey="6">Deleting an element.</a></li>
<li><a href="#DELETEKEY" accesskey="7">Deleting a key from the key ring.</a></li>
<li><a href="#DUMP" accesskey="8">Showing the XML document.</a></li>
<li><a href="#GENKEY" accesskey="9">Generating a new key.</a></li>
<li><a href="#GET">Getting the content of an element.</a></li>
<li><a href="#GETCONFIG">Obtaining a configuration value.</a></li>
<li><a href="#GETINFO">Obtaining server and client information.</a></li>
<li><a href="#HELP">Showing available commands.</a></li>
<li><a href="#IMPORT">Creating elements from XML.</a></li>
<li><a href="#ISCACHED">Testing cache status.</a></li>
<li><a href="#KEYINFO">Showing keys used for the current data file.</a></li>
<li><a href="#KILL">Terminating another client.</a></li>
<li><a href="#LIST">Showing document elements.</a></li>
<li><a href="#LISTKEYS">Listing keys in the key ring.</a></li>
<li><a href="#LOCK">Locking the current data file.</a></li>
<li><a href="#LS">Showing available data files.</a></li>
<li><a href="#MOVE">Moving an element.</a></li>
<li><a href="#NOP">Testing the connection.</a></li>
<li><a href="#OPEN">Opening a data file.</a></li>
<li><a href="#OPTION">Setting various client parameters.</a></li>
<li><a href="#PASSWD">Changing the passphrase for a key.</a></li>
<li><a href="#REALPATH">Resolving an element.</a></li>
<li><a href="#RENAME">Renaming an element.</a></li>
<li><a href="#RESET">Resetting the client state.</a></li>
<li><a href="#SAVE">Saving document changes to disk.</a></li>
<li><a href="#STORE">Modifying the content of an element.</a></li>
<li><a href="#UNLOCK">Removing a data file lock.</a></li>
<li><a href="#XPATH">Modifying more than one element.</a></li>
<li><a href="#XPATHATTR">Modifying more than one element&rsquo;s attributes.</a></li>
</ul>
<hr>
<div class="section-level-extent" id="ATTR">
<div class="nav-panel">
<p>
Next: <a href="#BULK" accesskey="n" rel="next">Run a series of commands in sequence.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Modifying-element-attributes_002e"><span>8.1 Modifying element attributes.<a class="copiable-link" href="#Modifying-element-attributes_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-ATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">ATTR [--inquire] SET|GET|DELETE|LIST [&lt;attribute&gt;] element[&lt;TAB&gt;child[..]] ..
</pre></div>

<dl class="table">
<dt>ATTR SET attribute element[&lt;TAB&gt;child[..]] [value]</dt>
<dd><p>Stores or updates an <var class="var">attribute</var> name and optional <var class="var">value</var> of an 
element. When no <var class="var">value</var> is specified any existing value will be removed.
<br><br>
</p></dd>
<dt>ATTR DELETE attribute element[&lt;TAB&gt;child[..]]</dt>
<dd><p>Removes an attribute from an element. If <var class="var">attribute</var> is <code class="code">_name</code> 
or <code class="code">target</code> an error is returned. Use the <code class="command">DELETE</code> command 
(see <a class="pxref" href="#DELETE">Deleting an element.</a>) instead.
<br><br>
</p></dd>
<dt>ATTR LIST element[&lt;TAB&gt;child[..]]</dt>
<dd><p>Retrieves a newline separated list of attributes names and values 
from the specified element. Each attribute name and value is space delimited.
<br><br>
</p></dd>
<dt>ATTR GET attribute element[&lt;TAB&gt;child[..]]</dt>
<dd><p>Retrieves the value of an <var class="var">attribute</var> from an element.
</p></dd>
</dl>
<br><br>
<p>When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
<br><br>
See <a class="xref" href="#Target-Attribute">The <code class="code">target</code> attribute</a>, for details about this special attribute and also 
see <a class="pxref" href="#Other-Attributes">Other special attributes</a> for other attributes that are handled specially 
by <code class="command">pwmd</code>.
</p>

<hr>
</div>
<div class="section-level-extent" id="BULK">
<div class="nav-panel">
<p>
Next: <a href="#CACHETIMEOUT" accesskey="n" rel="next">Setting the cache timeout.</a>, Previous: <a href="#ATTR" accesskey="p" rel="prev">Modifying element attributes.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Run-a-series-of-commands-in-sequence_002e"><span>8.2 Run a series of commands in sequence.<a class="copiable-link" href="#Run-a-series-of-commands-in-sequence_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-BULK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">BULK [--inquire]
</pre></div>

<p>Parses a semi-canonical s-expression representing a series of protocol 
commands to be run in sequence (see <a class="pxref" href="#Bulk-Commands">Running multiple commands in sequence</a>). Returns a canonical 
s-expression containing each commands id, return value and result data 
(if any).
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="CACHETIMEOUT">
<div class="nav-panel">
<p>
Next: <a href="#CLEARCACHE" accesskey="n" rel="next">Removing a cache entry.</a>, Previous: <a href="#BULK" accesskey="p" rel="prev">Run a series of commands in sequence.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Setting-the-cache-timeout_002e"><span>8.3 Setting the cache timeout.<a class="copiable-link" href="#Setting-the-cache-timeout_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-CACHETIMEOUT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">CACHETIMEOUT &lt;seconds&gt;
</pre></div>

<p>The time in <var class="var">seconds</var> until the currently opened data file will be 
removed from the cache. <code class="code">-1</code> will keep the cache entry forever, 
<code class="code">0</code> will require the passphrase for each <code class="code">OPEN</code> command 
(see <a class="pxref" href="#OPEN">Opening a data file.</a>) or <code class="code">SAVE</code> (see <a class="pxref" href="#SAVE">Saving document changes to disk.</a>) command. See <a class="xref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>, 
and the <code class="code">cache_timeout</code> parameter.
</p>

<hr>
</div>
<div class="section-level-extent" id="CLEARCACHE">
<div class="nav-panel">
<p>
Next: <a href="#COPY" accesskey="n" rel="next">Copying an element.</a>, Previous: <a href="#CACHETIMEOUT" accesskey="p" rel="prev">Setting the cache timeout.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Removing-a-cache-entry_002e"><span>8.4 Removing a cache entry.<a class="copiable-link" href="#Removing-a-cache-entry_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-CLEARCACHE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">CLEARCACHE [&lt;filename&gt;]
</pre></div>

<p>Clears a file cache entry for all or the specified <var class="var">filename</var>. Note that 
this will also clear any <code class="command">gpg-agent</code> cached keys which may cause 
problems if another data file shares the same keys as <var class="var">filename</var>.
<br><br>
When clearing all cache entries a permissions test is done against the 
current client based on the <var class="var">allowed</var> configuration parameter in a 
<var class="var">filename</var> section. Both a cache entry may be cleared and an error 
returned depending on cached data files and client permissions.
</p>

<hr>
</div>
<div class="section-level-extent" id="COPY">
<div class="nav-panel">
<p>
Next: <a href="#DELETE" accesskey="n" rel="next">Deleting an element.</a>, Previous: <a href="#CLEARCACHE" accesskey="p" rel="prev">Removing a cache entry.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Copying-an-element_002e"><span>8.5 Copying an element.<a class="copiable-link" href="#Copying-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-COPY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">COPY [--inquire] source[&lt;TAB&gt;child[..]] dest[&lt;TAB&gt;child[..]]
</pre></div>

<p>Copies the entire element tree starting from the child node of the source 
element, to the destination element path. If the destination element path 
does not exist then it will be created; otherwise it is overwritten.
<br><br>
Note that attributes from the source element are merged into the 
destination element when the destination element path exists. When an 
attribute of the same name exists in both the source and destination 
elements then the destination attribute will be updated to the source 
attribute value.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="DELETE">
<div class="nav-panel">
<p>
Next: <a href="#DELETEKEY" accesskey="n" rel="next">Deleting a key from the key ring.</a>, Previous: <a href="#COPY" accesskey="p" rel="prev">Copying an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Deleting-an-element_002e"><span>8.6 Deleting an element.<a class="copiable-link" href="#Deleting-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-DELETE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">DELETE [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Removes the specified element path and all of its children. This may break 
an element with a <code class="code">target</code> attribute (see <a class="pxref" href="#Target-Attribute">The <code class="code">target</code> attribute</a>) that 
refers to this element or any of its children.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="DELETEKEY">
<div class="nav-panel">
<p>
Next: <a href="#DUMP" accesskey="n" rel="next">Showing the XML document.</a>, Previous: <a href="#DELETE" accesskey="p" rel="prev">Deleting an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Deleting-a-key-from-the-key-ring_002e"><span>8.7 Deleting a key from the key ring.<a class="copiable-link" href="#Deleting-a-key-from-the-key-ring_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-DELETEKEY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">DELETEKEY &lt;keyid&gt;
</pre></div>

<p>Deletes the public and secret key associated with key <var class="var">keyid</var> from the 
keyring. The <var class="var">keyid</var> must be one associated with the currently opened 
data file. 
Note that no confirmation occurs. Also note that when the key is deleted, 
the current or other data files using this key will no longer be able to be 
opened.
</p>

<hr>
</div>
<div class="section-level-extent" id="DUMP">
<div class="nav-panel">
<p>
Next: <a href="#GENKEY" accesskey="n" rel="next">Generating a new key.</a>, Previous: <a href="#DELETEKEY" accesskey="p" rel="prev">Deleting a key from the key ring.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Showing-the-XML-document_002e"><span>8.8 Showing the XML document.<a class="copiable-link" href="#Showing-the-XML-document_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-DUMP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">DUMP
</pre></div>

<p>Shows the in memory <abbr class="abbr">XML</abbr> document with indenting. See <a class="xref" href="#XPATH">Modifying more than one element.</a>, for 
dumping a specific node.
</p>

<hr>
</div>
<div class="section-level-extent" id="GENKEY">
<div class="nav-panel">
<p>
Next: <a href="#GET" accesskey="n" rel="next">Getting the content of an element.</a>, Previous: <a href="#DUMP" accesskey="p" rel="prev">Showing the XML document.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Generating-a-new-key_002e"><span>8.9 Generating a new key.<a class="copiable-link" href="#Generating-a-new-key_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-GENKEY-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">GENKEY --subkey-of=fpr | --userid=&quot;str&quot; [--no-expire | --expire=N] [--algo=&quot;str&quot;] [--no-passphrase] [--usage=&quot;default|sign|encrypt&quot;]
</pre></div>

<p>Generates a new key based on option arguments. One of 
<samp class="option">--subkey-of</samp> or <samp class="option">--userid</samp> is 
required. The <samp class="option">--subkey-of</samp> option will generate a subkey for the key 
of the specified fingerprint.
<br><br>
Note that this may take a long time to complete especially if you do not 
have a hardware RNG. There are software RNG&rsquo;s that will speed this up 
but are also not as secure.
</p>

<hr>
</div>
<div class="section-level-extent" id="GET">
<div class="nav-panel">
<p>
Next: <a href="#GETCONFIG" accesskey="n" rel="next">Obtaining a configuration value.</a>, Previous: <a href="#GENKEY" accesskey="p" rel="prev">Generating a new key.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Getting-the-content-of-an-element_002e"><span>8.10 Getting the content of an element.<a class="copiable-link" href="#Getting-the-content-of-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-GET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">GET [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Retrieves the content of the specified element. The content is returned 
with a data response.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="GETCONFIG">
<div class="nav-panel">
<p>
Next: <a href="#GETINFO" accesskey="n" rel="next">Obtaining server and client information.</a>, Previous: <a href="#GET" accesskey="p" rel="prev">Getting the content of an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Obtaining-a-configuration-value_002e"><span>8.11 Obtaining a configuration value.<a class="copiable-link" href="#Obtaining-a-configuration-value_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-GETCONFIG-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">GETCONFIG [filename] &lt;parameter&gt;
</pre></div>

<p>Returns the value of a <code class="command">pwmd</code> configuration <var class="var">parameter</var> with a 
data response. If no file has been opened then the value for <var class="var">filename</var> 
or the default from the <var class="var">global</var> section will be returned. If a file 
has been opened and no <var class="var">filename</var> is specified, the value previously 
set with the <code class="code">OPTION</code> command (see <a class="pxref" href="#OPTION">Setting various client parameters.</a>) will be returned.
</p>

<hr>
</div>
<div class="section-level-extent" id="GETINFO">
<div class="nav-panel">
<p>
Next: <a href="#HELP" accesskey="n" rel="next">Showing available commands.</a>, Previous: <a href="#GETCONFIG" accesskey="p" rel="prev">Obtaining a configuration value.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Obtaining-server-and-client-information_002e"><span>8.12 Obtaining server and client information.<a class="copiable-link" href="#Obtaining-server-and-client-information_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-GETINFO-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">GETINFO [--data] [--verbose] CACHE | CLIENTS | PID | USER | LAST_ERROR | VERSION
</pre></div>

<p>Get server and other information. The information is returned via a status 
message (see <a class="pxref" href="#Status-Messages">Status messages and their meanings</a>) unless otherwise noted or <samp class="option">--data</samp> 
is specified.
<br><br>
<var class="var">CACHE</var> returns the number of cached documents.
<br><br>
<var class="var">CLIENTS</var> returns the number of 
connected clients via a status message or a list of connected clients when 
the <samp class="option">--verbose</samp> parameter is used (implies <samp class="option">--data</samp>). A 
verbose line of a client list contains 
space delimited 
fields: the thread ID, client name, opened file (<code class="code">/</code> if none opened), 
IP address if remote, file lock status, whether the current client is self 
or not, client state (see below), 
user ID or TLS fingerprint of the connected client, username if the 
client is a local one else <code class="code">-</code>, and finally the time stamp of when the 
client connected.
<br><br>
Client state <code class="code">0</code> is an unknown client state, state <code class="code">1</code> indicates 
the client has connected but hasn&rsquo;t completed initializing, state <code class="code">2</code> 
indicates that the client is idle, state <code class="code">3</code> means the 
client is in a command and state <code class="code">4</code> means the client is disconnecting. 
<br><br>
<var class="var">PID</var> returns the process ID number of the server via a data response.
<br><br>
<var class="var">VERSION</var> returns the server version number and compile-time features 
via a data response with each being space delimited.
<br><br>
<var class="var">LAST_ERROR</var> returns a detailed description of the last failed command 
via a data response, when available.
<br><br>
<var class="var">USER</var> returns the username or <abbr class="abbr">TLS</abbr> hash of the connected client 
via a data response.
</p>

<hr>
</div>
<div class="section-level-extent" id="HELP">
<div class="nav-panel">
<p>
Next: <a href="#IMPORT" accesskey="n" rel="next">Creating elements from XML.</a>, Previous: <a href="#GETINFO" accesskey="p" rel="prev">Obtaining server and client information.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Showing-available-commands_002e"><span>8.13 Showing available commands.<a class="copiable-link" href="#Showing-available-commands_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-HELP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">HELP [--html] [&lt;COMMAND&gt;]
</pre></div>

<p>Show available commands or command specific help text.
<br><br>
The <samp class="option">--html</samp> option will output the help text in HTML format.
</p>

<hr>
</div>
<div class="section-level-extent" id="IMPORT">
<div class="nav-panel">
<p>
Next: <a href="#ISCACHED" accesskey="n" rel="next">Testing cache status.</a>, Previous: <a href="#HELP" accesskey="p" rel="prev">Showing available commands.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Creating-elements-from-XML_002e"><span>8.14 Creating elements from XML.<a class="copiable-link" href="#Creating-elements-from-XML_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-IMPORT-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">IMPORT [--root=element[&lt;TAB&gt;child[..]]]
</pre></div>

<p>This command uses a server <em class="emph">INQUIRE</em> to retrieve data from the client.
<br><br>
Like the <code class="code">STORE</code> command (see <a class="pxref" href="#STORE">Modifying the content of an element.</a>), but the <var class="var">content</var> 
argument is raw <abbr class="abbr">XML</abbr> data. The content is created as a child of 
the element path specified with the <samp class="option">--root</samp> option or at the 
document root when not specified. Existing elements of the same name will 
be overwritten.
<br><br>
The content must begin with an <abbr class="abbr">XML</abbr> element node. See <a class="xref" href="#Introduction">Overview of <code class="command">pwmd</code></a>, 
for details.
</p>

<hr>
</div>
<div class="section-level-extent" id="ISCACHED">
<div class="nav-panel">
<p>
Next: <a href="#KEYINFO" accesskey="n" rel="next">Showing keys used for the current data file.</a>, Previous: <a href="#IMPORT" accesskey="p" rel="prev">Creating elements from XML.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Testing-cache-status_002e"><span>8.15 Testing cache status.<a class="copiable-link" href="#Testing-cache-status_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-ISCACHED-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">ISCACHED [--lock] [--agent [--sign]] &lt;filename&gt;
</pre></div>

<p>Determines the file cache status of the specified <var class="var">filename</var>. 
The default is to test whether the filename is cached in memory. Passing 
option <samp class="option">--agent</samp> will test the <code class="command">gpg-agent</code> cache for at most 
one cached key used for opening the data file (see <a class="pxref" href="#OPEN">Opening a data file.</a>). To test if 
a signing key is cached, pass <samp class="option">--sign</samp> along with <samp class="option">--agent</samp>. 
Both the <samp class="option">--agent</samp> and <samp class="option">--sign</samp> options require an opened data 
file.
<br><br>
An <em class="emph">OK</em> response is returned if the specified <var class="var">filename</var> is found 
in the cache. If not found in the cache but exists on the filesystem 
then <code class="code">GPG_ERR_NO_DATA</code> is returned. Otherwise a filesystem error is 
returned.
<br><br>
The <samp class="option">--lock</samp> option will lock the file mutex of <var class="var">filename</var> when 
the file exists; it does not need to be opened nor cached. The lock will be 
released when the client exits or sends the <code class="code">UNLOCK</code> command 
(see <a class="pxref" href="#UNLOCK">Removing a data file lock.</a>). When this option is passed the current data file is closed.
</p>

<hr>
</div>
<div class="section-level-extent" id="KEYINFO">
<div class="nav-panel">
<p>
Next: <a href="#KILL" accesskey="n" rel="next">Terminating another client.</a>, Previous: <a href="#ISCACHED" accesskey="p" rel="prev">Testing cache status.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Showing-keys-used-for-the-current-data-file_002e"><span>8.16 Showing keys used for the current data file.<a class="copiable-link" href="#Showing-keys-used-for-the-current-data-file_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-KEYINFO-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">KEYINFO [--learn]
</pre></div>

<p>Returns a new line separated list of key ID&rsquo;s that the currently opened 
data file has recipients and signers for. If the key is a signing key it 
will be prefixed with an <code class="code">S</code>. If the file is a new one, or has no 
signers in the case of being symmetrically encrypted, the error code 
<code class="code">GPG_ERR_NO_DATA</code> is returned.
<br><br>
When the <samp class="option">--learn</samp> option is passed, keys on a smartcard will be 
imported.
</p>

<hr>
</div>
<div class="section-level-extent" id="KILL">
<div class="nav-panel">
<p>
Next: <a href="#LIST" accesskey="n" rel="next">Showing document elements.</a>, Previous: <a href="#KEYINFO" accesskey="p" rel="prev">Showing keys used for the current data file.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Terminating-another-client_002e"><span>8.17 Terminating another client.<a class="copiable-link" href="#Terminating-another-client_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-KILL-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">KILL &lt;thread_id&gt;
</pre></div>

<p>Terminates the client identified by <var class="var">thread_id</var> and releases any file 
lock or other resources it has held. See <code class="code">GETINFO</code> (see <a class="pxref" href="#GETINFO">Obtaining server and client information.</a>) 
for details about listing connected clients. An <code class="code">invoking_user</code> 
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) may kill any client while others may only kill 
clients of the same <code class="code">UID</code> or <abbr class="abbr">TLS</abbr> fingerprint.
</p>

<hr>
</div>
<div class="section-level-extent" id="LIST">
<div class="nav-panel">
<p>
Next: <a href="#LISTKEYS" accesskey="n" rel="next">Listing keys in the key ring.</a>, Previous: <a href="#KILL" accesskey="p" rel="prev">Terminating another client.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Showing-document-elements_002e"><span>8.18 Showing document elements.<a class="copiable-link" href="#Showing-document-elements_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-LIST-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">LIST [--inquire] [--recurse] [--sexp] [element[&lt;TAB&gt;child[..]]]
</pre></div>

<p>If no element path is given then a newline separated list of root elements 
is returned with a data response. If given, then children of the specified 
element path are returned.
<br><br>
Each element path 
returned will have zero or more flags appened to it. These flags are 
delimited from the element path by a single space character. A flag itself 
is a single character. Flag <code class="code">P</code> indicates that access to the element 
is denied. Flag <code class="code">+</code> indicates that there are child nodes of 
the current element path. Flag <code class="code">E</code> indicates that an element of the 
element path contained in a <var class="var">target</var> attribute could not be found. Flag 
<code class="code">O</code> indicates that a <var class="var">target</var> attribute recursion limit was reached 
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>). Flag <code class="code">T</code>, followed by a single space character, 
then an element path, is the element path of the <var class="var">target</var> attribute 
contained in the current element.
<br><br>
When a specified element path contains an error either from the final 
element in the path or any previous element, the path is still shown but 
will contain the error flag for the element with the error. Determining 
the actual element which contains the error is up to the client. This can be 
done by traversing the final element up to parent elements that contain the 
same error flag.
<br><br>
The option <samp class="option">--recurse</samp> may be used to list the entire element tree 
for a specified element path or the entire tree for all root elements.
<br><br>
The option <samp class="option">--sexp</samp> outputs the list in an s-expression and also 
appends an elements&rsquo; attributes and attribute values. The syntax is:
</p>
<div class="example">
<pre class="example-preformatted">(11:list-result
  (4:path N:&lt;path&gt; 5:flags N:&lt;flags&gt;
    (5:attrs N:&lt;name&gt; N:&lt;value&gt; ...)
  )
  ...
)
</pre></div>

<p>When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="LISTKEYS">
<div class="nav-panel">
<p>
Next: <a href="#LOCK" accesskey="n" rel="next">Locking the current data file.</a>, Previous: <a href="#LIST" accesskey="p" rel="prev">Showing document elements.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Listing-keys-in-the-key-ring_002e"><span>8.19 Listing keys in the key ring.<a class="copiable-link" href="#Listing-keys-in-the-key-ring_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-LISTKEYS-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">LISTKEYS [--secret-only] [pattern[,&lt;pattern&gt;]]
</pre></div>

<p>Returns a new line separated list of key information matching a comma 
separated list of <var class="var">pattern</var>&rsquo;s. When option <samp class="option">--secret-only</samp> is 
specified, only keys matching <var class="var">pattern</var> that also have a secret key 
available will be returned.
</p>

<hr>
</div>
<div class="section-level-extent" id="LOCK">
<div class="nav-panel">
<p>
Next: <a href="#LS" accesskey="n" rel="next">Showing available data files.</a>, Previous: <a href="#LISTKEYS" accesskey="p" rel="prev">Listing keys in the key ring.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Locking-the-current-data-file_002e"><span>8.20 Locking the current data file.<a class="copiable-link" href="#Locking-the-current-data-file_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-LOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">LOCK
</pre></div>

<p>Locks the mutex associated with the opened file. This prevents other clients 
from sending commands to the same opened file until the client 
that sent this command either disconnects or sends the <code class="code">UNLOCK</code> 
command. See <a class="xref" href="#UNLOCK">Removing a data file lock.</a>.
</p>

<hr>
</div>
<div class="section-level-extent" id="LS">
<div class="nav-panel">
<p>
Next: <a href="#MOVE" accesskey="n" rel="next">Moving an element.</a>, Previous: <a href="#LOCK" accesskey="p" rel="prev">Locking the current data file.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Showing-available-data-files_002e"><span>8.21 Showing available data files.<a class="copiable-link" href="#Showing-available-data-files_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-LS-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">LS [--verbose]
</pre></div>

<p>Returns a newline separated list of data files stored in the data directory 
<samp class="file">HOMEDIR/data</samp> (see <a class="pxref" href="#Invoking">Invoking <code class="command">pwmd</code></a>) with a data response. When the 
<var class="var">&ndash;verbose</var> option is passed, the space-separated filesystem inode 
access, modification and change times are appended to the line.
</p>

<hr>
</div>
<div class="section-level-extent" id="MOVE">
<div class="nav-panel">
<p>
Next: <a href="#NOP" accesskey="n" rel="next">Testing the connection.</a>, Previous: <a href="#LS" accesskey="p" rel="prev">Showing available data files.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Moving-an-element_002e"><span>8.22 Moving an element.<a class="copiable-link" href="#Moving-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-MOVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">MOVE [--inquire] source[&lt;TAB&gt;child[..]] [dest[&lt;TAB&gt;child[..]]]
</pre></div>

<p>Moves the source element path to the destination element path. If the 
destination is not specified then it will be moved to the root node of the 
document. If the destination is specified and exists then it will be 
overwritten; otherwise non-existing elements of the destination element 
path will be created.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="NOP">
<div class="nav-panel">
<p>
Next: <a href="#OPEN" accesskey="n" rel="next">Opening a data file.</a>, Previous: <a href="#MOVE" accesskey="p" rel="prev">Moving an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Testing-the-connection_002e"><span>8.23 Testing the connection.<a class="copiable-link" href="#Testing-the-connection_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-NOP-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">NOP
</pre></div>

<p>This command does nothing. It is useful for testing the connection for a 
timeout condition.
</p>

<hr>
</div>
<div class="section-level-extent" id="OPEN">
<div class="nav-panel">
<p>
Next: <a href="#OPTION" accesskey="n" rel="next">Setting various client parameters.</a>, Previous: <a href="#NOP" accesskey="p" rel="prev">Testing the connection.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Opening-a-data-file_002e"><span>8.24 Opening a data file.<a class="copiable-link" href="#Opening-a-data-file_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-OPEN-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">OPEN [--lock] &lt;filename&gt;
</pre></div>

<p>Opens <var class="var">filename</var>. When the <var class="var">filename</var> is not found on the 
file-system then a new in-memory document will be created. If the file is 
found, it is looked for in the file cache and when found no passphrase will 
be required to open it. When not cached, <cite class="cite">pinentry(1)</cite> will be used to 
retrieve the passphrase for decryption unless <samp class="option">disable-pinentry</samp> 
(see <a class="pxref" href="#OPTION">Setting various client parameters.</a>) was specified in which case <code class="command">pwmd</code> will 
<em class="emph">INQUIRE</em> the client for the passphrase. Note than when configuration 
option <samp class="option">strict_open</samp> is enabled and the client is not an 
<samp class="option">invoking_user</samp>, an error will be returned when the data file does 
not exist.
<br><br>
When the <samp class="option">--lock</samp> option is passed then the file mutex will be 
locked as if the <code class="code">LOCK</code> command (see <a class="pxref" href="#LOCK">Locking the current data file.</a>) had been sent after the 
file had been opened.
</p>

<hr>
</div>
<div class="section-level-extent" id="OPTION">
<div class="nav-panel">
<p>
Next: <a href="#PASSWD" accesskey="n" rel="next">Changing the passphrase for a key.</a>, Previous: <a href="#OPEN" accesskey="p" rel="prev">Opening a data file.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Setting-various-client-parameters_002e"><span>8.25 Setting various client parameters.<a class="copiable-link" href="#Setting-various-client-parameters_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-OPTION-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">OPTION &lt;NAME&gt;=[&lt;VALUE&gt;]
</pre></div>

<p>Sets a client option <var class="var">name</var> to <var class="var">value</var>. The value for an option is 
kept for the duration of the connection with the exception of the 
<code class="command">pinentry</code> options which are defaults for all future connections 
(see <a class="pxref" href="#Pinentry">Pinentry configuration</a>). When <var class="var">value</var> is empty the option is unset.
<br><br>
</p><dl class="table">
<dt>DISABLE-PINENTRY</dt>
<dd><p>Disable use of <code class="command">pinentry</code> for passphrase retrieval. When <code class="code">1</code>, a 
server inquire is sent to the client to obtain the passphrase. This option 
may be set as needed before the <code class="code">OPEN</code> (see <a class="pxref" href="#OPEN">Opening a data file.</a>), <code class="code">PASSWD</code> 
(see <a class="pxref" href="#PASSWD">Changing the passphrase for a key.</a>) and <code class="code">SAVE</code> (see <a class="pxref" href="#SAVE">Saving document changes to disk.</a>) commands. Set to <code class="code">0</code> 
to use a <code class="command">pinentry</code>.
<br><br>
</p></dd>
<dt>DISPLAY</dt>
<dd><p>Set or unset the X11 display to use when prompting for a passphrase.
<br><br>
</p></dd>
<dt>TTYNAME</dt>
<dd><p>Set the terminal device path to use when prompting for a passphrase.
<br><br>
</p></dd>
<dt>TTYTYPE</dt>
<dd><p>Set the terminal type for use with <samp class="option">TTYNAME</samp>.
<br><br>
</p></dd>
<dt>NAME</dt>
<dd><p>Associates the thread ID of the connection with the specified textual 
representation. Useful for debugging log messages. May not contain whitespace.
<br><br>
</p></dd>
<dt>LOCK-TIMEOUT</dt>
<dd><p>When not <code class="code">0</code>, the duration in tenths of a second to wait for the file 
mutex which has been locked by another thread to be released before returning 
an error. When <code class="code">-1</code> the error will be returned immediately.
<br><br>
</p></dd>
<dt>CLIENT-STATE</dt>
<dd><p>When set to <code class="code">1</code> then client state status messages for other clients are 
sent to the current client. The default is <code class="code">0</code>.
</p></dd>
</dl>


<hr>
</div>
<div class="section-level-extent" id="PASSWD">
<div class="nav-panel">
<p>
Next: <a href="#REALPATH" accesskey="n" rel="next">Resolving an element.</a>, Previous: <a href="#OPTION" accesskey="p" rel="prev">Setting various client parameters.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Changing-the-passphrase-for-a-key_002e"><span>8.26 Changing the passphrase for a key.<a class="copiable-link" href="#Changing-the-passphrase-for-a-key_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-PASSWD-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">PASSWD
</pre></div>

<p>Changes the passphrase of the secret key required to open the current 
data file. If the data file is symmetrically encrypted the error 
<code class="code">GPG_ERR_NOT_SUPPORTED</code> is returned. When symmetrically encrypted 
the <code class="code">SAVE</code> command (see <a class="pxref" href="#SAVE">Saving document changes to disk.</a>) should be used instead to prevent 
this command saving any unwanted changes to the <abbr class="abbr">XML</abbr> document.
<br><br>
Note that when the current data file has been either encrypted or signed 
with a key stored on a smartcard this command will return an error. In this 
case you should instead use <code class="command">gpg --card-edit</code> to change the 
pin of the smartcard or <code class="command">gpg --edit-key</code> to change the passphrase 
of the key used to sign or encrypt the data file.
<br><br>
This command is not available to non-invoking clients 
(see <a class="pxref" href="#Access-Control">Access Control</a>).
</p>

<hr>
</div>
<div class="section-level-extent" id="REALPATH">
<div class="nav-panel">
<p>
Next: <a href="#RENAME" accesskey="n" rel="next">Renaming an element.</a>, Previous: <a href="#PASSWD" accesskey="p" rel="prev">Changing the passphrase for a key.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Resolving-an-element_002e"><span>8.27 Resolving an element.<a class="copiable-link" href="#Resolving-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-REALPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">REALPATH [--inquire] element[&lt;TAB&gt;child[..]]
</pre></div>

<p>Resolves all <code class="code">target</code> attributes of the specified element path and 
returns the result with a data response. See <a class="xref" href="#Target-Attribute">The <code class="code">target</code> attribute</a>, for details.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="RENAME">
<div class="nav-panel">
<p>
Next: <a href="#RESET" accesskey="n" rel="next">Resetting the client state.</a>, Previous: <a href="#REALPATH" accesskey="p" rel="prev">Resolving an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Renaming-an-element_002e"><span>8.28 Renaming an element.<a class="copiable-link" href="#Renaming-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-RENAME-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">RENAME [--inquire] element[&lt;TAB&gt;child[..]] &lt;value&gt;
</pre></div>

<p>Renames the specified <var class="var">element</var> to the new <var class="var">value</var>. If an element of 
the same name as the <var class="var">value</var> already exists it will be overwritten.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
</p>

<hr>
</div>
<div class="section-level-extent" id="RESET">
<div class="nav-panel">
<p>
Next: <a href="#SAVE" accesskey="n" rel="next">Saving document changes to disk.</a>, Previous: <a href="#RENAME" accesskey="p" rel="prev">Renaming an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Resetting-the-client-state_002e"><span>8.29 Resetting the client state.<a class="copiable-link" href="#Resetting-the-client-state_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-RESET-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">RESET
</pre></div>

<p>Closes the currently opened file but keeps any previously set client options 
(see <a class="pxref" href="#OPTION">Setting various client parameters.</a>).
</p>

<hr>
</div>
<div class="section-level-extent" id="SAVE">
<div class="nav-panel">
<p>
Next: <a href="#STORE" accesskey="n" rel="next">Modifying the content of an element.</a>, Previous: <a href="#RESET" accesskey="p" rel="prev">Resetting the client state.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Saving-document-changes-to-disk_002e"><span>8.30 Saving document changes to disk.<a class="copiable-link" href="#Saving-document-changes-to-disk_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-SAVE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">SAVE [--sign-keyid=[&lt;fpr&gt;]] [--symmetric | --keyid=&lt;fpr&gt;[,..] | --inquire-keyid]
</pre></div>

<p>Writes the in-memory <abbr class="abbr">XML</abbr> document to disk. The file written to is the 
file that was opened when using the <code class="code">OPEN</code> command (see <a class="pxref" href="#OPEN">Opening a data file.</a>).
<br><br>
If the file is a new one one of <samp class="option">--symmetric</samp>, <samp class="option">--keyid</samp> or
<samp class="option">--inquire-keyid</samp> is required. When not <samp class="option">--symmetric</samp> the 
option <samp class="option">--sign-keyid</samp> is also required but optional otherwise.
<br><br>
You can encrypt the data file to a recipient other than the one that it 
was originally encrypted with by passing the <samp class="option">--keyid</samp> or 
<samp class="option">--inquire-keyid</samp> option with a comma separated list of 
public encryption key fingerprints as its argument. Use the 
<code class="command">LISTKEYS</code> command (see <a class="pxref" href="#LISTKEYS">Listing keys in the key ring.</a>) to show key information by 
pattern. The <samp class="option">--sign-keyid</samp> option may also be used to sign the data 
file with an alternate key by specifying the fingerprint of a signing key. 
Only one signing key is supported unlike the <samp class="option">--keyid</samp> option. 
A passphrase to decrypt the data file 
will be required when one or more of the original encryption keys or signing 
key are not found in either of these two options&rsquo; arguments or when the data 
file is symmetrically encrypted regardless of the <code class="code">require_save_key</code> 
configuration parameter. The original encryption keys and signing key will be 
used when neither of these options are specified.
<br><br>
The <samp class="option">--keyid</samp> and <samp class="option">--sign-keyid</samp> options are not available 
to non-invoking clients 
(see <a class="pxref" href="#Access-Control">Access Control</a>) when the recipients or signer do not match those 
that were used when the file was <code class="code">OPEN</code>&rsquo;ed.
<br><br>
The <samp class="option">--symmetric</samp> option specifies that a new data file be 
conventionally encrypted. These types of data files do not use a recipient 
public key but may optionally be signed by using the <samp class="option">--sign-keyid</samp> 
option. To remove the signing key from a symmtrically encrypted data file, 
leave the option value empty.
<br><br>
Note that you cannot change encryption schemes once a data file has been 
saved.
</p>

<hr>
</div>
<div class="section-level-extent" id="STORE">
<div class="nav-panel">
<p>
Next: <a href="#UNLOCK" accesskey="n" rel="next">Removing a data file lock.</a>, Previous: <a href="#SAVE" accesskey="p" rel="prev">Saving document changes to disk.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Modifying-the-content-of-an-element_002e"><span>8.31 Modifying the content of an element.<a class="copiable-link" href="#Modifying-the-content-of-an-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-STORE-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">STORE [--no-inherit-acl] element[&lt;TAB&gt;child[..]]&lt;TAB&gt;[content]
</pre></div>

<p>This command uses a server <em class="emph">INQUIRE</em> to retrieve data from the client.
<br><br>
Creates a new element path or modifies the <var class="var">content</var> of an existing 
element. If only a single element is specified then a new root element is 
created. Otherwise, elements are <kbd class="key">TAB</kbd> delimited and the content will be 
set to the final <kbd class="key">TAB</kbd> delimited element. If no <var class="var">content</var> is 
specified after the final <kbd class="key">TAB</kbd>, then the content of the existing 
element will be removed; or will be empty if creating a new element.
<br><br>
The option <samp class="option">--no-inherit-acl</samp> prevents a newly created element from 
inheriting the value of the parent element <code class="code">_acl</code> attribute. In either 
case, the current user is made the owner of the newly created element(s).
<br><br>
The only restriction of an element name is that it not contain whitespace 
characters. There is no other whitespace between the <kbd class="key">TAB</kbd> delimited 
elements. It is recommended that the content of an element be base64 encoded 
when it contains control or <kbd class="key">TAB</kbd> characters to prevent <abbr class="abbr">XML</abbr> 
parsing and <code class="command">pwmd</code> syntax errors.
</p>

<hr>
</div>
<div class="section-level-extent" id="UNLOCK">
<div class="nav-panel">
<p>
Next: <a href="#XPATH" accesskey="n" rel="next">Modifying more than one element.</a>, Previous: <a href="#STORE" accesskey="p" rel="prev">Modifying the content of an element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Removing-a-data-file-lock_002e"><span>8.32 Removing a data file lock.<a class="copiable-link" href="#Removing-a-data-file-lock_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-UNLOCK-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">UNLOCK
</pre></div>

<p>Unlocks the file mutex which was locked with the <code class="code">LOCK</code> command or 
a commands&rsquo; <samp class="option">--lock</samp> option (see <a class="pxref" href="#LOCK">Locking the current data file.</a>, see <a class="pxref" href="#OPEN">Opening a data file.</a>, 
see <a class="pxref" href="#ISCACHED">Testing cache status.</a>).
</p>

<hr>
</div>
<div class="section-level-extent" id="XPATH">
<div class="nav-panel">
<p>
Next: <a href="#XPATHATTR" accesskey="n" rel="next">Modifying more than one element&rsquo;s attributes.</a>, Previous: <a href="#UNLOCK" accesskey="p" rel="prev">Removing a data file lock.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Modifying-more-than-one-element_002e"><span>8.33 Modifying more than one element.<a class="copiable-link" href="#Modifying-more-than-one-element_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-XPATH-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">XPATH [--inquire] &lt;expression&gt;[&lt;TAB&gt;[value]]
</pre></div>

<p>Evaluates an XPath <var class="var">expression</var>. If no <var class="var">value</var> argument is 
specified it is assumed the expression is a request to return a result. 
Otherwise, the result is set to the <var class="var">value</var> argument and the document is 
updated. If there is no <var class="var">value</var> after the <kbd class="key">TAB</kbd> character, the value 
is assumed to be empty and the document is updated. For example:
</p><br>
<div class="example">
<pre class="example-preformatted">XPATH //element[@_name='password']<kbd class="key">TAB</kbd>
</pre></div>
<br>
<p>would clear the content of all <var class="var">password</var> elements in the data file 
while leaving off the trailing <kbd class="key">TAB</kbd> would return all <var class="var">password</var> 
elements in <abbr class="abbr">XML</abbr> format.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
<br><br>
See <a class="url" href="https://www.w3schools.com/xml/xpath_intro.asp">https://www.w3schools.com/xml/xpath_intro.asp</a> for <abbr class="abbr">XPATH</abbr> 
expression syntax.
</p>

<hr>
</div>
<div class="section-level-extent" id="XPATHATTR">
<div class="nav-panel">
<p>
Previous: <a href="#XPATH" accesskey="p" rel="prev">Modifying more than one element.</a>, Up: <a href="#Commands" accesskey="u" rel="up">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h3 class="section" id="Modifying-more-than-one-element_0027s-attributes_002e"><span>8.34 Modifying more than one element&rsquo;s attributes.<a class="copiable-link" href="#Modifying-more-than-one-element_0027s-attributes_002e"> &para;</a></span></h3>
<a class="index-entry-id" id="index-XPATHATTR-command"></a>
<p>Syntax:
</p><div class="example">
<pre class="example-preformatted">XPATHATTR [--inquire] SET|DELETE &lt;name&gt; &lt;expression&gt;[&lt;TAB&gt;[&lt;value&gt;]]
</pre></div>

<p>Like the <code class="code">XPATH</code> command (see <a class="pxref" href="#XPATH">Modifying more than one element.</a>) but operates on element 
attributes and does not return a result. For the <var class="var">SET</var> operation the 
<var class="var">value</var> is optional but the field is required. If not specified then 
the attribute value will be empty. For example:
</p><br>
<div class="example">
<pre class="example-preformatted">XPATHATTR SET password //element[@_name='password']<kbd class="key">TAB</kbd>
</pre></div>
<br>
<p>would create a <var class="var">password</var> attribute for each <var class="var">password</var> element 
found in the document. The attribute value will be empty but still exist.
<br><br>
When the <samp class="option">--inquire</samp> option is passed then all remaining non-option 
arguments are retrieved via a server <em class="emph">INQUIRE</em>.
<br><br>
See <a class="url" href="https://www.w3schools.com/xml/xpath_intro.asp">https://www.w3schools.com/xml/xpath_intro.asp</a> for <abbr class="abbr">XPATH</abbr> 
expression syntax.
</p>


<hr>
</div>
</div>
<div class="chapter-level-extent" id="Bulk-Commands">
<div class="nav-panel">
<p>
Next: <a href="#Status-Messages" accesskey="n" rel="next">Status messages and their meanings</a>, Previous: <a href="#Commands" accesskey="p" rel="prev">Protocol commands and their syntax</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Running-multiple-commands-in-sequence"><span>9 Running multiple commands in sequence<a class="copiable-link" href="#Running-multiple-commands-in-sequence"> &para;</a></span></h2>
<p>Multiple commands may be run in sequence by using the <code class="code">BULK</code> command
(see <a class="pxref" href="#BULK">Run a series of commands in sequence.</a>). Using this feature may speed up remote connections since less
socket IO is needed. The <code class="code">BULK</code> command uses an <em class="emph">INQUIRE</em> to obtain
an canonical s-expression of commands to be run. The s-expression syntax is as
follows:
</p>
<div class="example">
<pre class="example-preformatted">(2:id&lt;I&gt;:&lt;id&gt; &lt;P&gt;:&lt;prot&gt;&lt;D&gt;:[&lt;data&gt;] [2:rc&lt;R&gt;:&lt;code&gt;[|&lt;code&gt;...2:id...| 2:id...])
</pre></div>

<p>Each token is prefixed with an unsigned integer that specifies the length of
the token, followed by a colon &rsquo;<code class="code">:</code>&rsquo;, followed by the token itself. Pwmd
uses token pairs to create a <em class="emph">name=value</em> relationship. Whitespace is
allowed between token pairs. For example, the following is valid:
</p>
<div class="example">
<pre class="example-preformatted">( 2:id 7:FirstID 4:LIST0: 2:rc 1:0 (2:id6:Second 7:GETINFO7:version))
</pre></div>

<p>The <code class="code">id</code> token begins a new command and requires an <var class="var">&lt;id&gt;</var> token
of length <var class="var">&lt;I&gt;</var> to uniquely identify this command. The next token pair is
the protocol command name, without any command arguments, of length <var class="var">&lt;P&gt;</var>
to run followed by a colon &rsquo;<code class="code">:</code>&rsquo;, followed by the command <var class="var">&lt;prot&gt;</var>
itself, followed by the length <var class="var">&lt;D&gt;</var> of both command arguments and data,
followed by a colon &rsquo;<code class="code">:</code>&rsquo; and finally the <var class="var">&lt;data&gt;</var> itself.  If no
arguments or data are needed for the command, set the length of the data
<var class="var">&lt;D&gt;</var> to <code class="code">0</code> and append the required colon &rsquo;<code class="code">:</code>&rsquo;.
</p>
<p>A new command enclosed in parentheses may be run when the previous command
returns an error code that matches the <var class="var">&lt;code&gt;</var> token of length <var class="var">&lt;R&gt;</var>
by appending <var class="var">rc</var> tokens to the end of the previous commands <var class="var">&lt;data&gt;</var>
token. You may also test another return code for the previous command by
placing the next <var class="var">rc</var> token at the end of the closing parentheses of the
previous return code command.
</p>
<p>Multiple <code class="code">rc</code> <var class="var">code</var>&rsquo;s may be specified for a single command by
separating them with a pipe <code class="code">|</code> character. This lets you specify an
<em class="emph">if-this-and-that</em> expression for a commands return code.
</p>
<p>If another command is to be run after the previous and does not specify an
<var class="var">rc</var> token, the return value is ignored for the previous command and the
next command is run.  There is no limit on the number of commands or
sub-commands except for system memory.
</p>
<p>After inquiring the commands to be run, <code class="code">BULK</code> will run each command with
<var class="var">&lt;data&gt;</var> as its argument and store the result code and data of the command
in a <code class="code">bulk-result</code> canonical s-expression of the syntax:
</p>
<div class="example">
<pre class="example-preformatted">(11:bulk-result2:id&lt;I&gt;:&lt;id&gt;2:rc&lt;R&gt;:&lt;code&gt;&lt;D&gt;:[&lt;data&gt;][2:id...])
</pre></div>

<p>The <code class="code">11:bulk-result</code> token begins the result of all commands. The
<var class="var">&lt;id&gt;</var> token of length <var class="var">&lt;I&gt;</var> is the same that was associated with the
command from the <em class="emph">INQUIRE</em>&rsquo;d syntax and is prefixed with <code class="code">2:id</code>. The
return code of the command is prefixed with <code class="code">2:rc</code> followed by the length
<var class="var">&lt;R&gt;</var> of the unsigned integer <var class="var">&lt;code&gt;</var> then the return <var class="var">&lt;code&gt;</var>
itself.  If the command returned any <var class="var">&lt;data&gt;</var>, it is prefixed with a
length <var class="var">&lt;D&gt;</var> and immediately following the return <var class="var">&lt;code&gt;</var>. Otherwise,
<var class="var">&lt;D&gt;</var> will be <code class="code">0</code> and followed by a colon &rsquo;<code class="code">:</code>&rsquo;.
</p>

<hr>
</div>
<div class="chapter-level-extent" id="Status-Messages">
<div class="nav-panel">
<p>
Next: <a href="#Target-Attribute" accesskey="n" rel="next">The <code class="code">target</code> attribute</a>, Previous: <a href="#Bulk-Commands" accesskey="p" rel="prev">Running multiple commands in sequence</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Status-messages-and-their-meanings"><span>10 Status messages and their meanings<a class="copiable-link" href="#Status-messages-and-their-meanings"> &para;</a></span></h2>
<p>Some commands send status messages to inform the client about certain
operations or as a progress indicator.  Status messages begin with a
<code class="code">KEYWORD</code> followed by a status description for status messages that
require it. What status messages are sent, when, and how often may depend on
configuration settings (see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>).
</p>
<table class="multitable">
<thead><tr><th width="20%">Message</th><th width="25%">Parameters</th><th width="55%">Description</th></tr></thead>
<tbody><tr><td width="20%">CACHE
<a class="index-entry-id" id="index-CACHE"></a></td><td width="25%"><code class="code">&lt;integer&gt;</code></td><td width="55%">The number of cached documents. Sent to each client after connecting
(see <a class="pxref" href="#GETINFO">Obtaining server and client information.</a>) and to every client after a cache modification.</td></tr>
<tr><td width="20%">CLIENTS
<a class="index-entry-id" id="index-CLIENTS"></a></td><td width="25%"><code class="code">&lt;integer&gt;</code></td><td width="55%">The number of connected clients (see <a class="pxref" href="#GETINFO">Obtaining server and client information.</a>). Sent to each client
when another client either connects or disconnects.</td></tr>
<tr><td width="20%">DECRYPT
<a class="index-entry-id" id="index-DECRYPT"></a></td><td width="25%"></td><td width="55%">Sent to the current client during a decrypt operation. How often this
status message is sent is determined by the <code class="code">keepalive_interval</code>
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) setting.</td></tr>
<tr><td width="20%">ENCRYPT
<a class="index-entry-id" id="index-ENCRYPT"></a></td><td width="25%"></td><td width="55%">Sent to the current client during an encrypt operation. How often this
status message is sent is determined by the <code class="code">keepalive_interval</code>
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) setting.</td></tr>
<tr><td width="20%">GENKEY
<a class="index-entry-id" id="index-GENKEY"></a></td><td width="25%"><code class="code">[&lt;sigkey_fpr&gt; &lt;pubkey_fpr&gt;]</code></td><td width="55%">Sent to the current client during key generation. How often this
status message is sent is determined by the <code class="code">keepalive_interval</code>
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) setting. The <var class="var">sigkey_fpr</var> and <var class="var">pubkey_fpr</var>
parameters are added when key generation has completed.</td></tr>
<tr><td width="20%">INQUIRE_MAXLEN
<a class="index-entry-id" id="index-INQUIRE_005fMAXLEN"></a></td><td width="25%"><code class="code">&lt;bytes&gt;</code></td><td width="55%">Sent to the current client from <code class="command">gpg-agent</code> when inquiring data.
This specifies the maximum number of bytes allowed for the client to send and
should not be exceeded.</td></tr>
<tr><td width="20%">KEEPALIVE
<a class="index-entry-id" id="index-KEEPALIVE"></a></td><td width="25%"></td><td width="55%">Sent to each idle client every <var class="var">keepalive_interval</var>
(see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>) seconds.</td></tr>
<tr><td width="20%">LOCKED
<a class="index-entry-id" id="index-LOCKED"></a></td><td width="25%"></td><td width="55%">Sent to the current client when another client is holding the lock for
the mutex associated with a data file. How often this status message is sent
is determined by the <code class="code">keepalive_interval</code> (see <a class="pxref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>)
setting.</td></tr>
<tr><td width="20%">NEWFILE
<a class="index-entry-id" id="index-NEWFILE"></a></td><td width="25%"></td><td width="55%">Sent to the current client when the opened (see <a class="pxref" href="#OPEN">Opening a data file.</a>) file does not
exist on the file-system.</td></tr>
<tr><td width="20%">MODIFIED
<a class="index-entry-id" id="index-MODIFIED"></a></td><td width="25%"><code class="code">&lt;client_id&gt;</code></td><td width="55%">Sent to each client with the same opened data file as <var class="var">client_id</var> to
inform them of modifications that were written to disk using the
<code class="command">SAVE</code> command.</td></tr>
<tr><td width="20%">XFER
<a class="index-entry-id" id="index-XFER"></a></td><td width="25%"><code class="code">&lt;sent&gt; &lt;total&gt;</code></td><td width="55%">Sent to the current client when transferring data. It has two space
delimited arguments. The first being the current amount of bytes transferred
and the other being the total bytes to be transferred. Note that since version
<code class="code">3.1.1</code> of <code class="command">pwmd</code> this status message is sent only once and
before the transfer begins with the <var class="var">total</var> argument set to the size of the
data and the <var class="var">sent</var> argument set to <code class="code">0</code> leaving it to the client to
determine the progress of the transfer as the data is received.</td></tr>
<tr><td width="20%">STATE
<a class="index-entry-id" id="index-STATE"></a></td><td width="25%"><code class="code">&lt;client_id&gt; &lt;state&gt;</code></td><td width="55%">Sent to each client to indicate that <var class="var">client_id</var> has changed to
<var class="var">state</var> (see <a class="pxref" href="#GETINFO">Obtaining server and client information.</a> for client states). For a client to receive
another clients state the option <var class="var">CLIENT-STATE</var> must be set
(see <a class="pxref" href="#OPTION">Setting various client parameters.</a>).</td></tr>
<tr><td width="20%">EXPIRE
<a class="index-entry-id" id="index-EXPIRE"></a></td><td width="25%"><code class="code">&lt;epoch_seconds&gt; &lt;epoch_future&gt;|0</code></td><td width="55%">Sent to the current client when <code class="code">GET</code> (see <a class="pxref" href="#GET">Getting the content of an element.</a>) encounters an
<code class="code">_expire</code> (see <a class="pxref" href="#Other-Attributes">Other special attributes</a>) attribute that is in the past or when
<code class="code">STORE</code> (see <a class="pxref" href="#STORE">Modifying the content of an element.</a>) updates the <code class="code">_expire</code> attribute from the
<code class="code">_age</code> attribute value. The second field will be <code class="code">0</code> when <code class="code">GET</code>
sends this status message.  Otherwise the second field is the time the next
expiry will be.</td></tr>
<tr><td width="20%">PASSPHRASE_HINT
<a class="index-entry-id" id="index-PASSPHRASE_005fHINT"></a></td><td width="25%">&lt;keyid&gt; &lt;userid&gt;</td><td width="55%">Forwarded from <code class="code">GpgME</code>. Contains information that is useful in a
<code class="command">pinentry</code>. Only sent when pinentry is disabled (see <a class="pxref" href="#OPTION">Setting various client parameters.</a>).</td></tr>
<tr><td width="20%">PASSPHRASE_INFO
<a class="index-entry-id" id="index-PASSPHRASE_005fINFO"></a></td><td width="25%">&lt;flags&gt; &hellip;</td><td width="55%">Forwarded from <code class="code">GpgME</code>. Contains information that is useful in a
<code class="command">pinentry</code>. Only sent when pinentry is disabled (see <a class="pxref" href="#OPTION">Setting various client parameters.</a>).</td></tr>
<tr><td width="20%">REHANDSHAKE
<a class="index-entry-id" id="index-REHANDSHAKE"></a></td><td width="25%"></td><td width="55%">Sent to each <abbr class="acronym">TLS</abbr> client just before performing a cipher renegotiation
after a SIGHUP signal was received.</td></tr>
<tr><td width="20%">BULK
<a class="index-entry-id" id="index-BULK"></a></td><td width="25%"><code class="code">BEGIN|END &lt;command id&gt;</code></td><td width="55%">Sent to the current client before and after the <code class="code">BULK</code> command
(see <a class="pxref" href="#BULK">Run a series of commands in sequence.</a>) runs each command. The <var class="var">&lt;command id&gt;</var> is the same that was
associated with the command in the s-expression syntax.</td></tr>
</tbody>
</table>

<hr>
</div>
<div class="chapter-level-extent" id="Target-Attribute">
<div class="nav-panel">
<p>
Next: <a href="#Other-Attributes" accesskey="n" rel="next">Other special attributes</a>, Previous: <a href="#Status-Messages" accesskey="p" rel="prev">Status messages and their meanings</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="The-target-attribute"><span>11 The <code class="code">target</code> attribute<a class="copiable-link" href="#The-target-attribute"> &para;</a></span></h2>
<a class="index-entry-id" id="index-target-attribute"></a>
<p>A <em class="emph">case sensitive</em> attribute named <code class="code">_target</code> is treated specially
when found in each element of an element path. This attribute, like other
element attributes, is created or modified with the <code class="code">ATTR</code> command
(see <a class="pxref" href="#ATTR">Modifying element attributes.</a>). The value of this attribute is an existing element path
somewhere in the document.  If you are familiar with <abbr class="acronym">XML</abbr> entities or
maybe the HTML <code class="code">id</code> or <code class="code">_target</code> attributes or a symbolic link
in a file-system, you may find this attribute behaves similar to any of those.
</p>
<p>To create a <code class="code">_target</code> attribute use the following syntax:
</p>
<div class="example">
<pre class="example-preformatted">ATTR SET _target element[<code class="code">TAB</code>child[..]] element[<code class="code">TAB</code>child[..]]
</pre></div>

<p>Note the single space between the two element paths. The first element path is
where the <code class="code">_target</code> attribute will be created. If the element path does
not exist then it will be created.  This is the only time the <code class="code">ATTR</code>
(see <a class="pxref" href="#ATTR">Modifying element attributes.</a>) command will create elements. The attribute is created in the
final element of the element path.
</p>
<p>The second element path is the destination of where you want the first element
path to resolve to. When an element path is passed as an argument to a
protocol command <code class="command">pwmd</code> looks for a <code class="code">_target</code> attribute when
resolving each element and, if found, &quot;jumps&quot; to the attribute value and
continues resolving any remaining elements a commands element path.
</p>
<p>When an element of a element path is removed that a <code class="code">_target</code> attribute
resolves to then an error will occur when trying to access that element. You
may need to either update the <code class="code">_target</code> attribute value with a new element
path or remove the attribute entirely.
</p>
<p>Clients should be careful of creating <code class="code">_target</code> loops, or targets that
resolve to themselves. See the <var class="var">recursion_depth</var> in <a class="ref" href="#Configuration"><code class="command">pwmd</code> configuration file options</a>
for details.
</p>
<p>The <code class="code">REALPATH</code> command (see <a class="pxref" href="#REALPATH">Resolving an element.</a>) can be used to show the element
path after resolving all <code class="code">_target</code> attributes.
</p>
<p><em class="emph">Note that when setting this attribute any children of the element will
be removed.</em>
</p>

<hr>
</div>
<div class="chapter-level-extent" id="Other-Attributes">
<div class="nav-panel">
<p>
Next: <a href="#Key-Expiration" accesskey="n" rel="next">Key Expiration</a>, Previous: <a href="#Target-Attribute" accesskey="p" rel="prev">The <code class="code">target</code> attribute</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Other-special-attributes"><span>12 Other special attributes<a class="copiable-link" href="#Other-special-attributes"> &para;</a></span></h2>
<a class="index-entry-id" id="index-special-attributes"></a>
<p>In addition to the <code class="code">_target</code> attribute (see <a class="pxref" href="#Target-Attribute">The <code class="code">target</code> attribute</a>), there
are a few other attributes that are specially handled by <code class="command">pwmd</code>. The
first is the <code class="code">_ctime</code> attribute which is set to the current time when an
element is created. Next is the <code class="code">_mtime</code> attribute which is created when
an element is created and also updated when an element is modified. Neither of
these attributes may be modified by the client. The <code class="code">_acl</code> attribute
controls access to the element, albeit modifying or accessing element content,
or descending into child elements.  See <a class="xref" href="#Access-Control">Access Control</a> for details. The
<code class="code">_name</code> attribute contains the name of an element.
</p>
<p>The above mentioned attributes are considered reserved attribute names.
Reserved attributes are treated specially when a <code class="code">_target</code> attribute is
found for the current element. The <code class="code">ATTR LIST</code> command will show these
attribute values for the current element and not the attribute values for the
resolved <code class="code">_target</code> element. All other non-reserved attributes for the
resolved <code class="code">_target</code> are appended to the <code class="code">ATTR LIST</code> command output.
Other <code class="code">ATTR</code> commands (see <a class="pxref" href="#ATTR">Modifying element attributes.</a>) behave as usual. You can, for
example, <code class="code">ATTR DELETE</code> a non-reserved attribute for an element that
contains a <code class="code">_target</code> attribute. The resolved target elements&rsquo; attribute
will be removed rather than the element containing the <code class="code">_target</code>
attribute.
</p>
<p>Another specially handled attribute is the <code class="code">_expire</code> attribute. This
attribute value, like the <code class="code">_ctime</code> and <code class="code">_mtime</code> attributes, is a
timestamp. But this timestamp is usually in the future and for use with the
<code class="code">GET</code> (see <a class="pxref" href="#GET">Getting the content of an element.</a>) and <code class="code">STORE</code> (see <a class="pxref" href="#STORE">Modifying the content of an element.</a>) commands. When the
<code class="code">GET</code> command is issued, it checks for an <code class="code">_expire</code> attribute an
compares its&rsquo; value with the current time. If the <code class="code">_expire</code> timestamp is
in the past then a status message is sent (see <a class="pxref" href="#Status-Messages">Status messages and their meanings</a>) to inform
the client that the element content should be updated.  When the content for
an element containing an <code class="code">_expire</code> attribute is set when using the
<code class="code">STORE</code> command, the value of the <code class="code">_age</code> attribute is added to the
current time and the <code class="code">_expire</code> attribute value is updated.  When no
<code class="code">_age</code> attribute is found, no modification is done of the <code class="code">_expire</code>
attribute.
</p>

<hr>
</div>
<div class="chapter-level-extent" id="Key-Expiration">
<div class="nav-panel">
<p>
Next: <a href="#Signals" accesskey="n" rel="next">Recognized signals</a>, Previous: <a href="#Other-Attributes" accesskey="p" rel="prev">Other special attributes</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Key-Expiration-1"><span>13 Key Expiration<a class="copiable-link" href="#Key-Expiration-1"> &para;</a></span></h2>
<a class="index-entry-id" id="index-key-expiration"></a>
<p>When a key used for signing a data file has expired there is no indication
until the next <code class="code">SAVE</code> command is sent. The command will fail since one
cannot sign the data file with an expired key. The client will need to either
use a different key for signing by either specifying an existing non-expired
key, generate a new key, or change the expire time of the existing key with
<code class="command">gpg</code>.
</p>
<p>To change the expiration of the currently used signing key with <code class="command">gpg</code>,
use the <code class="code">KEYINFO</code> command (see <a class="pxref" href="#KEYINFO">Showing keys used for the current data file.</a>) to obtain the fingerprint of
the signing key of the current data file, then change the expire time with
<code class="command">gpg</code>:
</p>
<div class="example">
<pre class="example-preformatted">gpg --homedir ~/.pwmd/.gnupg --edit-key &lt;fingerprint&gt;
</pre></div>

<p>Then use the <code class="code">expire</code> command to set the new key expire date. When
finished, use the <code class="code">save</code> command to save your changes.
</p>

<hr>
</div>
<div class="chapter-level-extent" id="Signals">
<div class="nav-panel">
<p>
Next: <a href="#Index" accesskey="n" rel="next">Index</a>, Previous: <a href="#Key-Expiration" accesskey="p" rel="prev">Key Expiration</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="chapter" id="Recognized-signals"><span>14 Recognized signals<a class="copiable-link" href="#Recognized-signals"> &para;</a></span></h2>

<p>Sending the <em class="emph">SIGHUP</em> signal to a <code class="command">pwmd</code> process will reload the
configuration file and sending <em class="emph">SIGUSR1</em> will clear the entire file
cache.
</p>


<hr>
</div>
<div class="unnumbered-level-extent" id="Index">
<div class="nav-panel">
<p>
Previous: <a href="#Signals" accesskey="p" rel="prev">Recognized signals</a> &nbsp; [<a href="#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="#Index" title="Index" rel="index">Index</a>]</p>
</div>
<h2 class="unnumbered" id="Index-1"><span>Index<a class="copiable-link" href="#Index-1"> &para;</a></span></h2>
<div class="printindex cp-printindex">
<table class="cp-letters-header-printindex"><tr><th>Jump to: &nbsp; </th><td><a class="summary-letter-printindex" href="#Index_cp_letter-A"><b>A</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-B"><b>B</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-C"><b>C</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-D"><b>D</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-E"><b>E</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-G"><b>G</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-H"><b>H</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-I"><b>I</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-K"><b>K</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-L"><b>L</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-M"><b>M</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-N"><b>N</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-O"><b>O</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-P"><b>P</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-R"><b>R</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-S"><b>S</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-T"><b>T</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-U"><b>U</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-X"><b>X</b></a>
 &nbsp; 
</td></tr></table>
<table class="cp-entries-printindex" border="0">
<tr><td></td><th class="entries-header-printindex">Index Entry</th><th class="sections-header-printindex">Section</th></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-A">A</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-allowed">allowed</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-allowed_005ffile">allowed_file</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-always_005ftrust">always_trust</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Arguments">Arguments</a></td><td class="printindex-index-section"><a href="#Invoking">Invoking</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-ATTR-command">ATTR command</a></td><td class="printindex-index-section"><a href="#ATTR">ATTR</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-B">B</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-backlog">backlog</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-backup">backup</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-BULK">BULK</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-BULK-command">BULK command</a></td><td class="printindex-index-section"><a href="#BULK">BULK</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-C">C</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-CACHE">CACHE</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-cache_005fpush">cache_push</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-cache_005ftimeout">cache_timeout</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-CACHETIMEOUT-command">CACHETIMEOUT command</a></td><td class="printindex-index-section"><a href="#CACHETIMEOUT">CACHETIMEOUT</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-CLEARCACHE-command">CLEARCACHE command</a></td><td class="printindex-index-section"><a href="#CLEARCACHE">CLEARCACHE</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-CLIENTS">CLIENTS</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-COPY-command">COPY command</a></td><td class="printindex-index-section"><a href="#COPY">COPY</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-D">D</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Data-file-configuration-options">Data file configuration options</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-DECRYPT">DECRYPT</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-DELETE-command">DELETE command</a></td><td class="printindex-index-section"><a href="#DELETE">DELETE</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-DELETEKEY-command">DELETEKEY command</a></td><td class="printindex-index-section"><a href="#DELETEKEY">DELETEKEY</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-disable_005flist_005fand_005fdump">disable_list_and_dump</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-disable_005fmlockall">disable_mlockall</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-DUMP-command">DUMP command</a></td><td class="printindex-index-section"><a href="#DUMP">DUMP</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-E">E</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-enable_005flogging">enable_logging</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-enable_005ftcp">enable_tcp</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-ENCRYPT">ENCRYPT</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-encrypt_005fto">encrypt_to</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-EXPIRE">EXPIRE</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-G">G</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-GENKEY">GENKEY</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-GENKEY-command">GENKEY command</a></td><td class="printindex-index-section"><a href="#GENKEY">GENKEY</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-GET-command">GET command</a></td><td class="printindex-index-section"><a href="#GET">GET</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-GETCONFIG-command">GETCONFIG command</a></td><td class="printindex-index-section"><a href="#GETCONFIG">GETCONFIG</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-GETINFO-command">GETINFO command</a></td><td class="printindex-index-section"><a href="#GETINFO">GETINFO</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Getting-help">Getting help</a></td><td class="printindex-index-section"><a href="#Invoking">Invoking</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Global-configuration-options">Global configuration options</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-gpg_005fhomedir">gpg_homedir</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-H">H</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-HELP-command">HELP command</a></td><td class="printindex-index-section"><a href="#HELP">HELP</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-I">I</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-IMPORT-command">IMPORT command</a></td><td class="printindex-index-section"><a href="#IMPORT">IMPORT</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-INQUIRE_005fMAXLEN">INQUIRE_MAXLEN</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-invoking_005ffile">invoking_file</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-invoking_005fuser">invoking_user</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-ISCACHED-command">ISCACHED command</a></td><td class="printindex-index-section"><a href="#ISCACHED">ISCACHED</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-K">K</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-KEEPALIVE">KEEPALIVE</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-keepalive_005finterval">keepalive_interval</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-key-expiration">key expiration</a></td><td class="printindex-index-section"><a href="#Key-Expiration">Key Expiration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-KEYINFO-command">KEYINFO command</a></td><td class="printindex-index-section"><a href="#KEYINFO">KEYINFO</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-KILL-command">KILL command</a></td><td class="printindex-index-section"><a href="#KILL">KILL</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-kill_005fscd">kill_scd</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-L">L</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-LIST-command">LIST command</a></td><td class="printindex-index-section"><a href="#LIST">LIST</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-LISTKEYS-command">LISTKEYS command</a></td><td class="printindex-index-section"><a href="#LISTKEYS">LISTKEYS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-LOCK-command">LOCK command</a></td><td class="printindex-index-section"><a href="#LOCK">LOCK</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-lock_005ftimeout">lock_timeout</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-LOCKED">LOCKED</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-log_005fkeepopen">log_keepopen</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-log_005flevel">log_level</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-log_005fpath">log_path</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-LS-command">LS command</a></td><td class="printindex-index-section"><a href="#LS">LS</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-M">M</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-MODIFIED">MODIFIED</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-MOVE-command">MOVE command</a></td><td class="printindex-index-section"><a href="#MOVE">MOVE</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-N">N</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-NEWFILE">NEWFILE</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-NOP-command">NOP command</a></td><td class="printindex-index-section"><a href="#NOP">NOP</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-O">O</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-OPEN-command">OPEN command</a></td><td class="printindex-index-section"><a href="#OPEN">OPEN</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-OPTION-command">OPTION command</a></td><td class="printindex-index-section"><a href="#OPTION">OPTION</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Options">Options</a></td><td class="printindex-index-section"><a href="#Invoking">Invoking</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-P">P</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-passphrase_005ffile">passphrase_file</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-PASSPHRASE_005fHINT">PASSPHRASE_HINT</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-PASSPHRASE_005fINFO">PASSPHRASE_INFO</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-PASSWD-command">PASSWD command</a></td><td class="printindex-index-section"><a href="#PASSWD">PASSWD</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-priority">priority</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-R">R</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-REALPATH-command">REALPATH command</a></td><td class="printindex-index-section"><a href="#REALPATH">REALPATH</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-recursion_005fdepth">recursion_depth</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-REHANDSHAKE">REHANDSHAKE</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Reloading-the-configuration-file">Reloading the configuration file</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-RENAME-command">RENAME command</a></td><td class="printindex-index-section"><a href="#RENAME">RENAME</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-require_005fsave_005fkey">require_save_key</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-RESET-command">RESET command</a></td><td class="printindex-index-section"><a href="#RESET">RESET</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-Running-pwmd">Running <code class="command">pwmd</code></a></td><td class="printindex-index-section"><a href="#Invoking">Invoking</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-S">S</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-SAVE-command">SAVE command</a></td><td class="printindex-index-section"><a href="#SAVE">SAVE</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-socket_005fpath">socket_path</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-socket_005fperms">socket_perms</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-special-attributes">special attributes</a></td><td class="printindex-index-section"><a href="#Other-Attributes">Other Attributes</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-STATE">STATE</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-STORE-command">STORE command</a></td><td class="printindex-index-section"><a href="#STORE">STORE</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-strict_005fkill">strict_kill</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-strict_005fopen">strict_open</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-syslog">syslog</a></td><td class="printindex-index-section"><a href="#Configuration">Configuration</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-T">T</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-target-attribute">target attribute</a></td><td class="printindex-index-section"><a href="#Target-Attribute">Target Attribute</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tcp_005fbind">tcp_bind</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tcp_005finterface">tcp_interface</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tcp_005fport">tcp_port</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tcp_005frequire_005fkey">tcp_require_key</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fca_005ffile">tls_ca_file</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fcipher_005fsuite">tls_cipher_suite</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fcrl_005ffile">tls_crl_file</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fdh_005fparams_005ffile">tls_dh_params_file</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fserver_005fcert_005ffile">tls_server_cert_file</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fserver_005fkey_005ffile">tls_server_key_file</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005ftimeout">tls_timeout</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-tls_005fuse_005fcrl">tls_use_crl</a></td><td class="printindex-index-section"><a href="#TLS">TLS</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-U">U</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-UNLOCK-command">UNLOCK command</a></td><td class="printindex-index-section"><a href="#UNLOCK">UNLOCK</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
<tr><th id="Index_cp_letter-X">X</th></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-XFER">XFER</a></td><td class="printindex-index-section"><a href="#Status-Messages">Status Messages</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-XPATH-command">XPATH command</a></td><td class="printindex-index-section"><a href="#XPATH">XPATH</a></td></tr>
<tr><td></td><td class="printindex-index-entry"><a href="#index-XPATHATTR-command">XPATHATTR command</a></td><td class="printindex-index-section"><a href="#XPATHATTR">XPATHATTR</a></td></tr>
<tr><td colspan="3"><hr></td></tr>
</table>
<table class="cp-letters-footer-printindex"><tr><th>Jump to: &nbsp; </th><td><a class="summary-letter-printindex" href="#Index_cp_letter-A"><b>A</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-B"><b>B</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-C"><b>C</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-D"><b>D</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-E"><b>E</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-G"><b>G</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-H"><b>H</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-I"><b>I</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-K"><b>K</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-L"><b>L</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-M"><b>M</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-N"><b>N</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-O"><b>O</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-P"><b>P</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-R"><b>R</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-S"><b>S</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-T"><b>T</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-U"><b>U</b></a>
 &nbsp; 
<a class="summary-letter-printindex" href="#Index_cp_letter-X"><b>X</b></a>
 &nbsp; 
</td></tr></table>
</div>

</div>
</div>



</body>
</html>