# Notary client configuration file This document is for power users of the [Notary client](../advanced_usage.md) who want to facilitate CLI interaction or specify custom options. The configuration file for Notary client normally resides at `~/.notary/config.json`, but the path to a different configuration file can be specified using the `-c` or `--configFile` command line flag. ## Overview of the file In addition to the configuration file format, please see the optional password [environment variables](#environment-variables-optional) that the Notary client can take for ease of use. Here is a full client configuration file example; please click on the top level JSON keys to learn more about the configuration section corresponding to that key:

{
  "trust_dir" : "~/.docker/trust",
  "remote_server": {
    "url": "https://my-notary-server.my-private-registry.com",
    "root-ca": "./fixtures/root-ca.crt",
    "tls_client_cert": "./fixtures/secure.example.com.crt",
    "tls_client_key": "./fixtures/secure.example.com.crt"
  }
}

## trust_dir section (optional) The `trust_dir` specifies the location (as an absolute path or a path relative to the directory of the configuration file) where the TUF metadata and private keys will be stored. This is normally defaults to `~/.notary`, but specifying `~/.docker/trust` facilitates interoperability with content trust. Note that this option can be overridden with the command line flag `--trustDir`. ## remote_server section (optional) The `remote_server` specifies how to connect to a Notary server to download metadata updates and publish metadata changes. Remote server example: ```json "remote_server": { "url": "https://my-notary-server.my-private-registry.com", "root-ca": "./fixtures/root-ca.crt", "tls_client_cert": "./fixtures/secure.example.com.crt", "tls_client_key": "./fixtures/secure.example.com.crt" } ```

Parameter	Required	Description
`url`	no	URL of the Notary server: defaults to https://notary.docker.io This configuration option can be overridden with the command line flag `-s` or `--server`.
`root-ca`	no	The path to the file containing the root CA with which to verify the TLS certificate of the Notary server, for example if it is self-signed. The path is relative to the directory of the configuration file. This configuration option can overridden with the command line flag `--tlscacert`, which would specify a path relative to the current working directory where the Notary client is invoked.
`tls_client_cert`	no	The path to the client certificate to use for mutual TLS with the Notary server. Must be provided along with `tls_client_key` or not provided at all. The path is relative to the directory of the configuration file. This configuration option can overridden with the command line flag `--tlscert`, which would specify a path relative to the current working directory where the Notary client is invoked.
`tls_client_key`	no	The path to the client key to use for mutual TLS with the Notary server. Must be provided along with `tls_client_cert` or not provided at all. The path is relative to the directory of the configuration file. This configuration option can overridden with the command line flag `--tlskey`, which would specify a path relative to the current working directory where the Notary client is invoked.

## Environment variables (optional) The following environment variables containing signing key passphrases can be used to facilitate [Notary client CLI interaction](../advanced_usage.md). If provided, these passwords will be used initially to sign TUF metadata. If the passphrase is incorrect, you will be prompted to enter the correct passphrase. | Environment Variable | Description | | --------------------------- | --------------------------------------- | |`NOTARY_ROOT_PASSPHRASE` | The root/offline key passphrase | |`NOTARY_TARGETS_PASSPHRASE` | The targets (an online) key passphrase | |`NOTARY_SNAPSHOT_PASSPHRASE` | The snapshot (an online) key passphrase |