.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
.
.\"--------------------------------------------------------------------------
-.so ../defs.man.in \" @@@PRE@@@
+.so ../common/defs.man \" @@@PRE@@@
.
.\"--------------------------------------------------------------------------
-.TH tripe-keys.conf 5 "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
+.TH tripe-keys.conf 5tripe "14 September 2005" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
.
.\"--------------------------------------------------------------------------
.SH "NAME"
Additional options for generating master keys. Default is
.RB ` -l '.
.TP
+.I master-attrs
+Additional attributes to set on the master key,
+as
+.IB key = value
+pairs separated by spaces.
+Default is empty.
+.TP
.I hk-master
The fingerprint of the current master signing key. No default. Usually
set up automatically.
.B ec
(elliptic curves). The default is
.BR dh .
+.ne 9
+.TP
+.I kx-genalg
+Key generation algorithm name to pass to
+.B "key add"
+when generating keys.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx kx-genalg
+_
+dh dh
+ec ec
+x25519 x25519
+x448 x448
+_
+.TE
+.ne 9
+.TP
+.I kx-param-genalg
+Key generation algorithm name to pass to
+.B "key add"
+when generating the parameters key.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx kx-param-genalg
+_
+dh dh-param
+ec ec-param
+x25519 empty
+x448 empty
+_
+.TE
+.ne 9
.TP
.I kx-param
Options to pass to
_
kx kx-param
_
-dh \-LS \-b2048 \-B256
+dh \-LS \-b3072 \-B256
ec \-Cnist-p256
+x25519 \fInone
+x448 \fInone
+_
+.TE
+.ne 9
+.TP
+.I kx-attrs
+Additional attributes to set on the parameters
+(and therefore copied to peer keys),
+as
+.IB key = value
+pairs separated by spaces.
+Default depends on
+.I kx
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx kx-attrs
+_
+dh serialization=constlen
+ec serialization=constlen
+x25519 \fIempty
+x448 \fIempty
_
.TE
.TP
.I kx-expire
Expiry time for generated keys. Default is
-.BR "now + 1 day" .
+.BR "now + 1 year" .
.TP
.I hash
Hashing algorithm to use. Default is
.BR sha256 .
.TP
+.I bulk
+The bulk crypto transform to use.
+Default is
+.BR iiv .
+.ne 8
+.TP
.I mac
-Message authentication algorithm to use. Default is
-.IB hash -hmac/ halfhashlen \fR,
-where
+Message authentication algorithm to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk mac
+_
+v0 \fIhash\fB-hmac/\fIhalfhashlen
+iiv \fIhash\fB-hmac/\fIhalfhashlenrijndael-cbc
+naclbox poly1305/128
+_
+.TE
+.IP
+(In the above,
.I halfhashlen
is half of
.IR hash 's
-output length.
+output length.)
.TP
.I mgf
Mask-generation algorithm to use. Default is
.IB hash -mgf \fR.
This is probably a good choice.
+.ne 7
.TP
.I cipher
-Symmetric encryption scheme to use. Default is
-.BR blowfish-cbc .
+Symmetric encryption scheme to use.
+Default depends on
+.I bulk
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+bulk cipher
+_
+v0 rijndael-cbc
+iiv rijndael-cbc
+naclbox chacha20
+_
+.TE
+.ne 8
.TP
.I sig
Signature scheme to use. Must be one of those recognized by
.BR catsign (1).
-Default is
-.B dsa
-if
+Default depends on
.I kx
-is
-.BR dh ,
-or
-.B ecdsa
-if
-.I kx
-is
-.BR ec .
+as follows.
+.TS
+center;
+| ci | ci |
+| lb | lb |.
+_
+kx sig
+_
+dh dsa
+ec ecdsa
+x25519 ed25519
+x448 ed448
+_
+.TE
+.ne 12
.TP
.I sig-genalg
Key-generation algorithm for signing key. Default depends on
rsapss rsa
ecdsa ec
eckcdsa ec
+ed25519 ed25519
+ed448 ed448
_
.TE
+.ne 10
.TP
.I sig-param
Signature-key generation parameters. Default depends on
_
sig-genalg sig-param
_
-dh \-LS \-b2048 \-B256
-dsa \-b2048 \-B256
-rsa \-b2048
+dh \-LS \-b3072 \-B256
+dsa \-b3072 \-B256
+rsa \-b3072
ec \-Cnist-p256
+ed25519 \fInone
+ed448 \fInone
_
.TE
.TP
Local base directory for the repository files. This probably ought to
end in a
.RB ` / '
-character. No default.
+character. Unexpected files in this directory will be removed by the
+.B tripe-keys upload
+command. No default.
.TP
.I repos-file
Filename for local repository tarball. Default is the concatenation of
.IB repos-base .
.TP
.I sig-file
-Tempalte for repository signatures. Default is the concatenation of
+Template for repository signatures. Default is the concatenation of
.I base-dir
and
.IR sig-base .
.I conf-file
Filename for local repository configuration file. Default is
.IB basedir /tripe-keys.conf \fR.
+.TP
+.I kx-warn-days
+The
+.B "tripe-keys check"
+command will warn about keys which will in less than
+.I kx-warn-days
+days. Default is 28.
.
.\"--------------------------------------------------------------------------
.SH "SEE ALSO"