1 # Example PWMD configuration file. Edit and save to ~/.pwmd/config or
2 # specify with the -f command line option. See the pwmd(1) manual page or the
3 # pwmd.info documentation for complete details of the options.
5 # The global section is for non-file related settings and defaults for data
6 # files without a file section of their own.
9 # Location of the pinentry binary.
10 #pinentry_path=/usr/bin/pinentry
12 # The number of seconds to wait for a pinentry before giving up.
15 # Location of the listening socket.
16 #socket_path=~/.pwmd/socket
18 # Socket permissions. This will override any umask setting.
21 # Usernames or groups obtained via SO_PEERCRED which are allowed to
22 # connect to the socket. Groups should be prefixed with a '@'. When not
23 # specified only the invoking user is allowed.
24 #allowed = username,another_user,@group,-not_this_user
26 # Username to use as the default in an element ACL. The default is the
30 # Like invoking_user, but for remote connections, an SHA1 hash of a client
32 #invoking_tls=#FINGERPRINT
34 # When false, disable keeping backups for data files.
40 # Set to true to enable logging to log_path.
43 # Disable to close the logging file descriptor (log_path) after writing each
47 # Set to true to enable logging to syslog.
50 # The logging level: 0=connections and errors, 1=client commands.
53 # Enable gpg-agent support.
56 # A file containing the environment settings for connecting to gpg-agent.
57 #agent_env_file=/path/to/some/file
59 # Kill the smartcard daemon after each OPEN or SAVE.
62 # Require the passphrase needed for a data file before each SAVE.
63 #require_save_key=true
65 # Set to false to call mlockall(2) after a client connects. Uses more memory
66 # but is also more secure. Most will probably find it overkill since the
67 # contents of all memory is cleared before being freed.
68 #disable_mlockall=true
70 # Disable the XPATH, LIST and DUMP commands. When "true" and a client sends
71 # these commands the error GPG_ERR_NOT_IMPLEMENTED will be returned.
72 #disable_list_and_dump=false
74 # When sending data to the client an XFER status message will be sent after
75 # N bytes. N is rounded to ASSUAN_LINELENGTH (1002) bytes.
78 # A comma separated list of filenames to add to the file cache upon startup.
79 # You will be prompted for the passphrasefor each file if required. The files
80 # are looked for in ~/.pwmd/data. This also affects rcfile reloading via
82 #cache_push=somefile,anotherfile
84 # The number of seconds to keep a file in the cache. If -1, the file will be
85 # kept forever. If 0 then every OPEN will require a passphrase.
88 # The maximum recursion depth when resolving elements that contain a "target"
89 # attribute. When this value is exceeded an error will be returned.
92 # The priority or nice value of the server process. The default is inherited
93 # from the parent process.
96 # The cipher to use for newly created files.
99 # The number of cipher encryption iterations of the data. This differs from
100 # the s2k_count option (see below) that determines the hash iterations of the
104 # Send a status message to the client after this many encryption/decryption
106 #cipher_progress=2000
108 # The default key parameters to use when generating a new keypair
110 #keyparam=(genkey (rsa (nbits 4:2048)))
112 # The number of passphrase hashing iterations for new files and when changing
113 # the passphrase of a secret key. The default is the calibrated value of the
117 # Whether to enable TCP/TLS server support. If enabled, both TCP and the local
118 # unix domain socket will listen for connections.
121 # If TCP is enabled, the port to listen on.
124 # The network interface to listen on.
127 # The number of seconds to wait for a network read and write to complete
128 # for TLS connections.
131 # A comma separated list of client x509 certificate fingerprints in
132 # SHA-1 format that will be allowed to connect or open a file. See the
133 # documentation for details.
134 #tls_access=#ALLOWEDFINGERPRINT,#ANOTHERFINGERPRINT
136 # Require the client to provide the key to open a file even if the file is
138 #tcp_require_key=false
140 # The time in tenths of a second to wait for a new TCP connection. Setting to
141 # 0 will disable waiting.
144 # Accept TCP connections from the specified protocol. One of: ipv4, ipv6 or
145 # any. The default is "any".
148 # The GnuTLS cipher suite and protocol to use.
149 #tls_cipher_suite=SECURE256
151 # The interval in seconds to send the KEEPALIVE status message when
153 #keepalive_interval=60
155 # END GLOBAL SETTINGS
157 # File specific settings are allowed by placing the filename in braces. Each
158 # file can have it's own configuration settings from those listed below.
160 #tls_access=+,!DENIEDFINGERPRINT
163 #passphrase_file=/path/to/file.key