# /etc/custodia/custodia.conf

[DEFAULT]
libdir = /var/lib/custodia
logdir = /var/log/custodia
rundir = /var/run/custodia

[global]
debug = true
server_socket = ${rundir}/custodia.sock
auditlog = ${logdir}/audit.log

[store:sqlite]
handler = SqliteStore
dburi = ${libdir}/secrets.db
table = secrets

[store:encrypted_sqlite]
handler = EncryptedOverlay
backing_store = sqlite
master_key = ${libdir}/secrets.key
master_enctype = A128CBC-HS256
autogen_master_key = true

[auth:creds]
handler = SimpleCredsAuth
uid = root
gid = root

[authz:paths]
handler = SimplePathAuthz
paths = /. /secrets

[/]
handler = Root

[/secrets]
handler = Secrets
store = encrypted_sqlite