Notes on setting up secstore on your auth server.
Set up your secstore user via auth/secuser. Note that your secstore password must not be longer than 13 characters, or else it will fail when attempting to write it into NVRAM in the next step.
auth/secuser $user
Add the secstore password you just set up, also known as your secstore key, to the NVRAM via auth/wrkey:
nvram=/dev/sdXX/nvram auth/wrkey
Keep in mind that the process of logging in via drawterm will change a little bit from now on. Drawterm will detect that secstored is running on your auth server, and will attempt to retrieve your dp9ik password from it, but in order to do that it will prompt you for your secstore password; you may omit it and use your regular dp9ik password as before. After that, you will be prompted for your secstore password again, this time from factotum attempting to load the keys from secstore; this one can be disabled by adding the -n flag to auth/factotum in your user's /usr/$user/lib/profile.
An example session of using secstore:
% ramfs -p % cd /tmp % touch example # Create a file (or get it with auth/secstore -g example). % echo 'secret' >> example # Write something to it. % auth/secstore -p example # Put it back. secstore password:
A common use case is to have a file for storing your factotum keys:
% auth/secstore -g factotum secstore password: % cat key >> factotum % echo 'key proto=dp9ik dom=<DOMAIN> role=client user=<USER> !password=<PASSWORD>' >> factotum % auth/secstore -p factotum secstore password:
You can get your file on startup using the secstore password stored in NVRAM:
auth/secstore -n -G factotum >> /mnt/factotum/ctl