-
Notifications
You must be signed in to change notification settings - Fork 1
/
kc.1
1471 lines (1466 loc) · 39.3 KB
/
kc.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
.\"Copyright (c) 2011-2024 LEVAI Daniel
.\"All rights reserved.
.\"Redistribution and use in source and binary forms, with or without
.\"modification, are permitted provided that the following conditions are met:
.\" * Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" * Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
.\"ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\"WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\"DISCLAIMED. IN NO EVENT SHALL LEVAI Daniel BE LIABLE FOR ANY
.\"DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\"(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\"LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
.\"ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\"(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
.\"SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.Dd $Mdocdate: April 25 2024 $
.Dt KC 1
.Os
.Sh NAME
.Nm kc
.Nd console based username and password management application
.Sh SYNOPSIS
.Nm
.Op Fl k Ar database file
.Op Fl c Ar keychain name/idx
.Op Fl C Ar keychain name
.Op Fl r
.Op Fl A Ar key-type,key-comment Op Ql ,password
.Op Fl Y Ar key-slot Op ,device-index|serial-number Op Ql ,password
.Op Fl p Ar password file
.Op Fl P Ar kdf
.Op Fl K Ar key length
.Op Fl R Ar kdf iterations
.Op Fl e Ar cipher
.Op Fl m Ar cipher mode
.Op Fl 1 Ar parameter
.Op Fl 2 Ar parameter
.Op Fl 3 Ar parameter
.Op Fl 4 Ar parameter
.Op Fl 5 Ar parameter
.Op Fl b
.Op Fl B
.Op Fl v
.Op Fl h
.Sh DESCRIPTION
.Nm
is a console-based username and password management application using an
encrypted XML document as its database.
The database file is encrypted with a key that is generated from a
user-supplied password and/or a security key and/or an SSH agent.
Database encryption
.Po and thus decryption
.Pc can be interactive or
non-interactive in that it could require user input
.Po i.e. a password
.Pc , or a
response for a challenge from a security key or a signature from an SSH agent.
See the
.Em PASSWORDS
section on how these work in terms of generating a password.
.Pp
A database file can contain multiple keychains, and keychains in turn can
contain multiple keys
.Po usernames if you like
.Pc and values
.Po passwords if you like
.Pc .
.Pp
After starting
.Nm
the
.Ic help
command shows the available commands, and usage information for them.
If you're in a hurry, for starters, you create a new entry with the
.Ic new
command and save it with
.Ic write .
You can see the stored keys with the
.Ic list
command, then entering only a number in the command line will display the entry
with the given index.
You quit from the value display with
.Ql q
or EOT
.Po usually CTRL+d
.Pc .
.Pp
The CLI supports tab-completion for commands and keychains.
.Pp
When saving the database
.Po Ic write
command
.Pc
.Nm
will create a temporary file
.Po under the same directory as the opened database file
.Pc , and will first try to save the whole database to that temporary database
file.
When this succeeds, only then will
.Nm
replace the old database with the new one, so you will always have a usable and
intact
.Po but potentially older
.Pc version of your database file.
.Pp
On
.Ox
.Nm
tries to use
.Xr pledge 2
but see also the CAVEATS section.
.Ss PARAMETERS
.Bl -tag -offset ||| -width |
.It Fl k Ar file
Use
.Ar file
as database.
The default is
.Pa ~/.kc/default.kcd .
.It Fl c Ar keychain
Change to the specified keychain after opening the database.
.It Fl C Ar keychain
Same as
.Fl c ,
but force
.Ar keychain
to be the keychain's name, instead of its index number.
More on this is in the
.Ic c
and
.Ic cc
commands' description.
.It Fl r
Open the database in read-only mode.
.Nm
will not try to lock the database file, and commands which could modify the
database will not be available.
.It Fl A Ar key-type,key-comment Op ,password
Use a signature from SSH agent as the database password.
For this,
.Nm
asks
.Xr ssh-agent 1
(using the
.Ev SSH_AUTH_SOCK
environment variable) to sign the IV and the salt of the database (and
optionally a password) with a private key loaded into
.Xr ssh-agent 1 .
This private key is looked up based on the
.Ar key type
and
.Ar key comment
separated by a comma (with no whitespaces around it).
.Pp
Key types supported and tested so far are RSA and ED25519, by using the type
names
.Bl -tag -offset ||| -width |
.It Ar ssh-rsa
.It Ar ssh-ed25519
.El
.Pp
respectively.
Due to the nature of *DSA keys,
.Nm
cannot use them in this specific way for this specific purpose.
.Pp
Key comments cannot contain comma (,) characters.
.Pp
If the word
.Ql password
is appended to the key comment after a comma (with no whitespaces around it),
then
.Nm
will also use the password (along with the IV and salt) as the input for the
SSH agent signature request.
Thus making it interactive (by requesting a password for decryption) instead of
an automatic database opening.
.Pp
E.g.:
.Bl -tag -offset ||| -width |
.It Ar ssh-ed25519,daniel-private,password
Search for an
.Ql ed25519
type key with a comment
.Ql daniel-private
and also ask for a password to use when opening the database.
.El
.Pp
Also worth mentioning that this actually works with agent forwarding as well,
so on a remote machine one doesn't even have to have the actual private key
file \(em just like in any other case when you'd use SSH agent forwarding.
.It Fl Y Ar key-slot Op ,device-index|serial-number Op Ql ,password
Use a YubiKey to utilize its challenge-response mechanism to construct the
password for the database.
This can be either an automatic or an interactive mode of operation (just like
with SSH agent support).
Without the
.Ql password
parameter the challenge will be the database salt value, thus facilitating an
automatic database open.
.Pp
This is a comma-sperated list of parameters, and the only mandatory argument to
this option is the slot number.
If the device index or serial number in the second field is missing, the first
available device
.Po index #0
.Pc is used. The third
.Po or second, if the index or serial is missing
.Pc field can be the literal word
.Ql password .
.Pp
E.g.:
.Bl -tag -offset ||| -width |
.It Ar 2
means slot 2 and implicitly device 0 (the first device).
.It Ar 2,password
means slot 2 and implicitly device 0 (the first device), and also use a
user-supplied password.
.It Ar 1,0
means slot 1 and device 0 (the first device).
.It Ar 2,0
means slot 2 and device 0 (the first device).
.It Ar 2,1
means slot 2 and device 1 (the second device).
.It Ar 2,3,password
means slot 2 and device 3 (the third device), and also use a user-supplied
password.
.It Ar 2,12345678,password
means slot 2 and the device with the serial number 12345678, and also use a
user-supplied password.
.El
.Pp
If the
.Ql password
parameter is specified, then the user-supplied password is used as the
challenge with the security key \(em otherwise the database's salt is the
challenge (stored in the database).
When using this option, the password can be at most 64 bytes long.
E.g.:
.Bl -tag -offset ||| -width |
.It Ar 2,0,password
Use the frist device, the second slot, and ask for a password to use as the
challenge.
.El
.Pp
.Em Using multiple security keys:
.Pp
It's possible to use multiple security keys by specifying this option two or
more times.
In this case
.Nm
will use the specified security keys in the order these options are specified,
and each subsequent device will re-use the previous output
.Po response
.Pc as its challenge, chaining together the security keys.
The database can only be opened when using all of the provided security keys,
and by specifying these options in the same exact order.
To work around the dynamic assignment of device numbers based on the order one
plugs in their security keys, serial numbers can be used instead of the device
index number to explicitly specify which security key to use.
.Pp
When using multiple security keys, any one of the
.Ql password
parameters turns on the usage of the user-supplied password.
.It Fl p Ar file
Read password from
.Ar file .
.It Fl P Ar kdf
KDF to use with the password.
Valid parameters are:
.Bl -tag -offset ||| -width |
.It Ar sha3
OpenSSL's PKCS5 PBKDF2 with SHA-3 512.
.It Ar sha512
OpenSSL's PKCS5 PBKDF2 with SHA-2 512.
This is the default.
.It Ar bcrypt
Bcrypt PBKDF based on Blowfish.
This is slower than the SHA-* or scrypt variants.
On Linux, a bundled bcrypt implementation from
.Ox
is used, and its version is the one that was available at the time of this
.Nm
release.
.It Ar scrypt
If compiled with libscrypt,
.Nm
can use the scrypt KDF.
The speed of this is somewhere between SHA-* and bcrypt.
The
.Fl R
option is ignored when using this.
.It Ar argon2id
If compiled with Argon2 and a new enough OpenSSL,
.Nm
supports the Argon2id KDF.
Argon2 is a memory-hard function.
.Fl R
is used for specifying its iterations (default is 2),
.Fl 1
is used for specifying the number of memory lanes (default is 4), and
.Fl 2
is used for specifying the memory cost (default is 6291456).
.Pp
These defaults have been selected based on the recommendation of its RFC 9106.
.El
.Pp
More information is in the
.Em KDF
section.
.It Fl K Ar key length
Key length in bytes to use for encryption (and decryption).
A valid length is between 16 and 32 (default).
Some combinations of an encryption cipher and key length don't make sense with
low or high values.
If it's not really necessary, I suggest leaving it at the default:
32 bytes == 256 bits.
.It Fl R Ar iterations
Number of iterations or rounds to use with the KDF.
.Pp
More information is in the
.Em KDF
section.
.It Fl e Ar cipher
Encryption cipher for database encryption.
Valid parameters are:
.Bl -tag -offset ||| -width |
.It Ar aes256
This is the default
.It Ar blowfish
.It Ar chacha20
.Ar cipher mode
is ignored when using this.
.El
.It Fl m Ar cipher mode
Cipher mode for database encryption.
Different encryption ciphers can have different modes.
The valid parameters are:
.Bl -tag -offset || -width |
.It When using Ar aes256
.Bl -tag -offset ||| -width |
.It Ar cbc
This is the default
.It Ar cfb
.It Ar ofb
.It Ar ctr
.El
.It When using Ar blowfish
.Bl -tag -offset ||| -width |
.It Ar cbc
.It Ar cfb
.It Ar ofb
.El
.El
.Pp
More information is in the
.Em CIPHERS
section.
.It Fl b
Batch mode.
Enable reading commands and the password from standard input.
In this case, the password must be on the first line
.Po like it would be in interactive mode
.Pc .
.It Fl B
Batch mode.
Enable reading commands from standard input, but prompt for the password.
.It Fl v
Display version.
.It Fl h
Display help.
.El
.Ss COMMANDS
These commands are available in the CLI:
.Bl -tag -offset ||| -width |
.It Ic new Op name
Create a new key in the current keychain.
Both key and value will be prompted for, except when
.Ar name
is specified; then it will be used as the key's name.
.Pp
Character sequences can be used in values:
.Pp
.Qq \en
- create a new line, and make the result a multiline value.
.Pp
.Qq \er ,
.Qq \eR
- these will be replaced with 2 and 4
.Po respectively
.Pc
random printable characters.
.Pp
.Qq \ea ,
.Qq \eA
- these will be replaced with 2 and 4
.Po respectively
.Pc
random alpha-numeric characters.
.Pp
Character sequences are to be used in values, regardless of their order or
count, and can be escaped using double backslashes
.Po eg.:
.Qq \e\ea
.Pc .
.It Ic list Op pager Op offset
List
.Ar pager
number of keys per page from the current keychain, skipping
.Ar offset
indices if specified.
Every key gets prefixed by its index number.
If
.Ar pager
is not specified, the default value of 20 is used.
The special value 0 means to not use the pager.
If
.Ar offset
is not specified, it is not used.
.It Ic ls Op pager Op offset
Alias of
.Ic list .
.It Ic edit Ar index
Edit a key.
.Ar index
is the key's index number in the current keychain.
.Pp
Character sequence rules in values apply to this command also.
See command
.Ic new
for more information about this.
.It Ic swap Ar index Ar index
Swap two keys, exchanging their index numbers.
The two
.Ar index
parameters are the keys' index numbers in the current keychain.
.It Ic insert Ar index Ar index
Move the key at the first
.Ar index
parameter to the index at the second
.Ar index
parameter in the current keychain.
Surrounding indices will be shifted backwards or forwards.
.It Ic search Ar string
Search for
.Ar string
in key names in the current keychain.
.Pp
Optional modifiers:
.Pp
.Ql \&!
suffix
.Pq eg.: Ic search\&! :
show non-matching keys.
.Pp
.Ql *
suffix
.Pq eg.: Ic search* :
search in every keychain.
.Pp
.Ql i
suffix
.Pq eg.: Ic searchi :
case of characters doesn't matter.
.Pp
You can combine the modifiers.
.It Ic / Ar pattern
Search for
.Ar pattern
regular expression in key names in the current keychain.
.Pp
Optional modifiers:
.Pp
.Ql \&!
suffix
.Pq eg.: Ic /\&! :
show non-matching keys.
.Pp
.Ql *
suffix
.Pq eg.: Ic /* :
search in every keychain.
.Pp
.Ql i
suffix
.Pq eg.: Ic /i :
case of characters doesn't matter.
.Pp
You can combine the modifiers.
.It Ic near Ar index Op context
Display the keyname of key at
.Ar index
position, and also print the surrounding keys' name in at most
.Ar context
vicinity.
Only the keys' names and index numbers get displayed.
.It Ic csearch Ar string
Search for
.Ar string
in keychain names.
.Pp
Optional modifiers:
.Pp
.Ql \&!
suffix
.Pq eg.: Ic csearch\&! :
show non-matching keychains.
.Pp
.Ql i
suffix
.Pq eg.: Ic csearchi :
case of characters doesn't matter.
.Pp
You can combine the modifiers.
.It Ic c/ Ar pattern
Search for
.Ar pattern
regular expression in keychain names.
.Pp
Optional modifiers:
.Pp
.Ql \&!
suffix
.Pq eg.: Ic c/\&! :
show non-matching keychains.
.Pp
.Ql i
suffix
.Pq eg.: Ic c/i :
case of characters doesn't matter.
.Pp
You can combine the modifiers.
.It Ic c Ar keychain
Change the current keychain.
.Ar keychain
can be the keychain's index number or name.
Index number takes priority when addressing a keychain.
.Pp
.Pq see command Ic cc
.It Ic cc Ar keychain_name
Works like
.Ic c ,
but the keychain's name takes priority over its index number.
.Pp
.Pq see command Ic c
.It Ic cdel Ar keychain
Delete a keychain.
.Ar keychain
can be the keychain's index number or name.
Index number takes priority when addressing a keychain.
.Pp
.Pq see command Ic ccdel
.It Ic ccdel Ar keychain_name
Works like
.Ic cdel ,
but the keychain's name takes priority over its index number.
.Pp
.Pq see command Ic cdel
.It Ic clear Op count
Emulate a screen clearing.
Scrolls a 100 lines by default, which can be multiplied by
.Ar count
times if specified.
.It Ic clist
List all keychain names and their descriptions.
Every keychain gets prefixed by its index number.
.It Ic cls
Alias of
.Ic clist .
.It Ic cnew Op name
Create a new keychain.
If
.Ar name
is not given then prompt for one.
.It Ic cedit
Edit the current keychain's name and description.
.It Ic copy Ar index Ar keychain
Copy a key from the current keychain to another keychain.
.Ar index
is the key's index number to copy and
.Ar keychain
is the destination keychain's index number or name.
Index number takes priority when addressing a keychain.
.It Ic cp Ar index Ar keychain
Alias of
.Ic copy .
.It Ic move Ar index Ar keychain
Move a key from the current keychain to another keychain.
.Ar index
is the key's index number to move and
.Ar keychain
is the destination keychain's index number or name.
Index number takes priority when addressing a keychain.
.It Ic mv Ar index Ar keychain
Alias of
.Ic move .
.It Ic del Ar index
Delete a key.
.Ar index
is the key's index number in the current keychain.
.It Ic rm Ar index
Alias of
.Ic del .
.It Ic passwd Op Fl A Ar key-type,key-comment Op ,password Op Fl Y Ar Key-slot,Device-index|Serial-number Op ,password Op Fl P Ar kdf Op Fl K Ar key length Op Fl R Ar kdf iterations Op Fl e Ar cipher Op Fl m Ar cipher mode
Change the database password or SSH public key identity being used to encrypt.
Optionally, SSH key, security key information, KDF, key length, KDF iterations,
cipher and cipher mode can also be changed.
All changes will be written immediately.
.Pp
More information about the
.Ar kdf ,
.Ar cipher ,
.Ar cipher mode
optional arguments are in their respective command line parameter description
and the KDF and CIPHERS sections of this manual.
.It Ic help Op command
Print application help or describe a
.Ar command .
.It Ic status
Display information about the database.
.It Ic export Fl k Ar filename Op Fl A Ar key-type,key-comment Op ,password Op Fl Y Ar Key-slot,Device-index|Serial-number Op ,password Op Fl P Ar kdf Op Fl K Ar key length Op Fl R Ar kdf iterations Op Fl e Ar cipher Op Fl m Ar cipher mode Op Fl c Ar keychain
Export the database to a
.Nm
compatible encrypted database file named
.Ar filename
(if no extension specified, ".kcd" will be appended).
.Pp
Optional arguments
.Ar kdf ,
.Ar cipher
and
.Ar cipher mode
can be used to specify a different KDF, encryption cipher and cipher mode to be
used while exporting the database.
This doesn't change the current database's parameters, but when importing this
exported database, the parameters in use must be the same
.Po or specified explicitly when using the
.Ic import
command
.Pc .
.Pp
When specifying
.Ar keychain ,
export only that keychain.
.Ar keychain
can be the keychain's index number or name.
Index number takes priority when addressing a keychain.
.Pp
.Po see commands
.Ic dump ,
.Ic import ,
.Ic append
.Pc
.It Ic dump Fl k Ar filename Op Fl c Ar keychain
Dump the database to a
.Nm
compatible XML file named
.Ar filename
(if no extension specified, ".xml" will be appended).
.Pp
When specifying a keychain, dump only that keychain to the XML file.
.Ar keychain
can be the keychain's index number or name.
Index number takes priority when addressing a keychain.
.Pp
.Em NOTE :
the created XML file will be plain text.
.Pp
.Pq see command Ic export
.It Ic import Fl k Ar filename Op Fl A Ar key-type,key-comment Op ,password Op Fl Y Ar Key-slot,Device-index|Serial-number Op ,password Op Fl P Ar kdf Op Fl K Ar key length Op Fl R Ar kdf iterations Op Fl e Ar cipher Op Fl m Ar cipher mode Op Fl o
Import and overwrite the current database with the one from a
.Nm
compatible encrypted database file named
.Ar filename .
.Ar filename
must be a proper
.Nm
database.
.Pp
The
.Ar SSH key ,
.Ar Security key information ,
.Ar kdf ,
.Ar key length ,
.Ar kdf iterations ,
.Ar encryption cipher
and
.Ar cipher mode
optional arguments can be used to specify these parameters if they differ from
the current database's.
.Pp
With the
.Fl o
option you can import legacy (<v2.5) databases with missing attributes.
.Pp
.Po see commands
.Ic importxml ,
.Ic export ,
.Ic append
.Pc
.It Ic importxml Fl k Ar filename Op Fl o
Import and overwrite the current database with the one from a
.Nm
compatible XML file named
.Ar filename .
.Ar filename
must contain a properly formatted
.Nm
XML document.
.Pp
With the
.Fl o
option you can import legacy (<v2.5) XML files with missing attributes.
.Pp
.Po see commands
.Ic import ,
.Ic export ,
.Ic append
.Pc
.It Ic append Fl k Ar filename Op Fl A Ar key-type,key-comment Op ,password Op Fl Y Ar Key-slot,Device-index|Serial-number Op ,password Op Fl P Ar kdf Op Fl K Ar key length Op Fl R Ar kdf iterations Op Fl e Ar cipher Op Fl m Ar cipher mode Op Fl o
Append new and merge existing keychains to the database from a
.Nm
compatible encrypted database file named
.Ar filename .
.Ar filename
must be a proper
.Nm
database.
.Pp
See command
.Ic import
for description of parameters.
.Pp
See the
.Em LIMITS
section for information about how
.Nm
deals with limits reached while appending.
.Pp
.Po see commands
.Ic appendxml ,
.Ic export ,
.Ic import
.Pc
.It Ic appendxml Fl k Ar filename Op Fl o
Append new and merge existing keychains to the database from a
.Nm
compatible XML file named
.Ar filename .
.Ar filename
must contain a properly formatted
.Nm
XML document.
.Pp
With the
.Fl o
option you can import legacy (<v2.5) databases with missing attributes.
.Pp
See the
.Em LIMITS
section for information about how
.Nm
deals with limits reached while appending.
.Pp
.Po see commands
.Ic append ,
.Ic export ,
.Ic import
.Pc
.It Ic info Op index
Print information about a key in the current keychain or the keychain itself.
If
.Ar index
is specified, it is the key's index number in the current keychain.
If omitted, information is about the current keychain.
.It Ic quit
Quit the program.
If the database has been modified, then ask if it should be saved.
.It Ic exit
Alias of
.Ic quit .
.It Ic tmux Ar index Op line
Copy the value of
.Ar index
to tmux's paste buffer.
.Ar index
is the key's index number in the current keychain.
.Ar line
can be used to specify the line number to copy, if
.Ar index
is a multiline value (defaults to 1).
This will try to execute the
.Xr tmux 1
binary with the
.Em set-buffer
command passing the
.Em value
as its parameter.
.Pp
Check the
.Em CAVEATS
section about the clipboard commands.
.It Ic Xclip Ar index Op line
.It Ic xclip Ar index Op line
Copy the value of
.Ar index
to the CLIPBOARD
.Po aka.: CTRL+c - CTRL+v
.Pc or PRIMARY X11 selection
.Po ie.: middle mouse button
.Pc , depending on the first
.Sq x
character's case, respectively.
.Ar index
is the key's index number in the current keychain.
.Ar line
can be used to specify the line number to copy, if
.Ar index
is a multiline value
.Po defaults to 1
.Pc .
.Pp
These will try to execute the
.Xr xclip 1
binary, piping the
.Em value
to its standard input.
.Pp
Check the
.Em CAVEATS
section about the clipboard commands.
.It Ic version
Display the program version.
.It Ic write
Save the database.
.It Ic save
Alias of
.Ic write .
.It Ic any number
To display a key's value, you enter the key's index
.Po ie.: only a number
.Pc into the command line, then it will display the entry with the given index.
You quit from the display with 'q' or EOT
.Po usually CTRL+d
.Pc .
.Pp
Rarely one needs to actually look at the passwords being stored, there are
convenient commands
.Po Ic Xclip xclip tmux
.Pc
.Pp
By specifying another number after the index
.Po eg.: '12 2' \(em here 12 is the index, and 2 is the extra number
.Po spice
.Pc after it
.Pc , that many random characters will be displayed between the value's characters.
You can navigate up/down through a multiline value's lines with keys j/k, n/p,
f/b, +/-, [/], {/}, </>, <SPACE>, <ENTER>, <BACKSPACE>.
Typing a number between 1-9 will jump directly to that line.
.Pp
It is possible to copy the displayed value to a clipboard
.Po or such
.Pc with these hotkeys:
.Bl -tag -offset ||| -width |
.It t
Copy the value to the tmux paste buffer like the
.Ic tmux
.Nm
command.
.It x
Copy the value to the PRIMARY X selection like the
.Ic xclip
.Nm
command.
.It X
Copy the value to the CLIPBOARD X selection like the
.Ic Xclip
.Nm
command.
.El
.Pp
Check the
.Em CAVEATS
section about the clipboard commands.
.Pp
Perhaps the extra number
.Po spice
.Pc after a key's index and its usefulness can use some further explanation.
Let's say you want to display a password to use it on a website's form, but you
don't want the people walking by or around you to recognize words, numbers or
parts of it.
You can use this nifty "trick" to tell
.Nm
to display that many random characters between the value's original characters
when showing it to you.
Granted, it will look like a mess
.Po although, that is what we wanted
.Pc , but you
can copy-paste it to the password entry in the website form in question.
Then you can start to "blindly" delete the given number of characters from it
by moving your cursor to the beginning
.Po eg.: HOME key
.Pc , pressing 'spice'
numbers of DEL, then jump over one character to the right
.Po with the right arrow key
.Pc , then delete the random characters again, then repeating this until you
reach the end of your original password
.Po those who played Mortal Kombat will feel a bit nostalgic
.Pc .
You can catch on to this, because the random character padding is of fixed
length, so the pattern remains the same for the whole password.
You don't even have to pay attention to the original length of the password,
because after you've completed the pattern
.Po DELs-move-DELs-move...
.Pc and removed
the spice
.Po ie.: every padding random character
.Pc , you end up with your original
password, and you'll just be deleting nothing after the end of the string.
This of course only makes sense if the form is a password input field, so you
.Po and everybody else
.Pc just see stars or dots in place of the password.
.El
.Ss CIPHERS
Databases are encrypted with the AES-256 cipher in CBC mode, if another cipher
and mode was not specified explicitly
.Po see the
.Fl e
and
.Fl m
options
.Pc . Ciphers use a key generated with a KDF from the user-supplied password
.Po and optionally a signature from an SSH agent or a HMAC response from a YubiKey
.Pc , and an IV
.Po initialization vector
.Pc that is read when first creating a database from the host's specific random device
.Po Pa /dev/urandom on Linux and
.Pa /dev/random on everything else
.Pc .
.Pp
To change the encryption cipher and/or its mode, you can use the
.Ic passwd
or
.Ic export
command.
.Pp
See also the
.Em CAVEATS
section.
.Ss KDF
The KDF
.Po key derivation function
.Pc converts the constructed password
.Po either directly from the user input or after being treated with one of the
relevant functions like an SSH agent or a security key
.Pc with a generated salt to a strong key that can be used safely during
encryption.
.Pp
Every SHA-* based PBKDF2 function uses 100000 iterations and the bcrypt KDF
uses 36 rounds by default.
If you're using
.Nm
on an old enough
.Po quite old
.Pc hardware, you might reckon that these numbers are too high, or in other
words, opening a database takes too much time.
See option
.Fl R
if you really think you should change this.
And remember, after saving/exporting a database with a certain number of KDF
rounds or iterations, you must use the same number when trying to open it.
.Pp
On changing the KDF being used, see the
.Ic passwd
command and the
.Fl P
option.
.Ss PASSWORDS
Although
.Nm
uses a key generated with a KDF to encrypt
.Po and decrypt
.Pc
a database, one of the inputs of that is usually
.Po but not necessarily
.Pc
a user-supplied password.
There are currently a couple of options to consider when deciding how to create
and/or use a database.
.Bl -tag -width |
.It A single password
Most simple one
.Po doesn't need any specific parameter to be specified
.Pc , just type in a password when creating a database and use the same one
when opening it.
Old school.