Provided by: kxd_0.15-3_amd64 bug

NAME

       kxd - Key exchange daemon

SYNOPSIS

       kxd [options...]

DESCRIPTION

       kxd is a key exchange daemon, which serves blobs of data (keys) over https.

       It can be used to get keys remotely instead of using local storage.  The main use case is
       to get keys to open dm-crypt devices automatically, without having to store them on the
       local machine.

SETUP

       The server configuration is stored in a root directory (/etc/kxd/data/ by default), and
       within there, with per-key directories (e.g.  /etc/kxd/data/host1/key1/), each containing
       the following files:

       key     Contains the key to give to the client.

       allowed_clients
               Contains one or more PEM-encoded client certificates that will be allowed to
               request the key. If not present, then no clients will be allowed to access this
               key.

       allowed_hosts
               Contains one or more host names (one per line). If not present, then all hosts
               will be allowed to access that key (as long as they are authorized with a valid
               client certificate).

       email_to
               Contains one or more email destinations to notify (one per line).  If not present,
               then no notifications will be sent upon key accesses.

OPTIONS

       --key=file
               Private key to use (in PAM format). Defaults to /etc/kxd/key.pem.

       --cert=file
               Certificate to use (in PAM format); must match the given key. Defaults to
               /etc/kxd/cert.pem.

       --data_dir=directory
               Data directory, where the key and configuration live (see the SETUP section
               above). Defaults to /etc/kxd/data.

       --ip_addr=ip-address
               IP address to listen on. Defaults to all.

       --logfile=file
               File to write logs to, use "-" for stdout. By default, the daemon will log to
               syslog.

       --port=port
               Port to listen on. The default port is 19840.

       --email_from=email-address
               Email address to send email from.

       --smtp_addr=host:port
               Address of the SMTP server to use to send emails. If none is given, then emails
               will not be sent.

       --hook=file
               Script to run before authorizing keys. Skipped if it doesn't exist. Defaults to
               /etc/kxd/hook.

FILES

       /etc/kxd/key.pem
               Private key to use (in PAM format).

       /etc/kxd/cert.pem
               Certificate to use (in PAM format); must match the given key.

       /etc/kxd/hook
               Script to run before authorizing keys. Skipped if it doesn't exist.

       /etc/kxd/data/
               Data directory, where the keys and their configuration live.

CONTACT

       Main website <https://blitiri.com.ar/p/kxd>.

       If you have any questions, comments or patches please send them to
       "albertito@blitiri.com.ar".

SEE ALSO

       kxc(1), kxc-cryptsetup(1).

                                            2019-08-10                                     kxd(1)