• -h: Display help.
• -v: Display ZeroTier One version.
• -U: Skip privilege check and allow to be run by non-privileged user. This is typically used when zerotier-one is built with the network controller option included. In this case the ZeroTier service might only be acting as a network controller and might never actually join networks, in which case it does not require elevated system permissions.
• -p<port>: Specify a different primary port. If this is not given the default is 9993. If zero is given a random port is chosen each time.
• -d: Fork and run as a daemon.
• -i: Invoke the zerotier-idtool personality, in which case the binary behaves like zerotier-idtool(1). This happens automatically if the name of the binary (or a symlink to it) is zerotier-idtool.
• -q: Invoke the zerotier-cli personality, in which case the binary behaves like zerotier-cli(1). This happens automatically if the name of the binary (or a symlink to it) is zerotier-cli.

$ sudo zerotier-one -d

$ sudo zerotier-one -d -p12345 /tmp/zerotier-working-directory-test

• identity.public: The public portion of your ZeroTier identity, which is your 10-digit hex address and the associated public key.
• identity.secret: Your full ZeroTier identity including its private key. This file identifies the system on the network, which means you can move a ZeroTier address around by copying this file and you should back up this file if you want to save your system's static ZeroTier address. This file must be protected, since theft of its secret key will allow anyone to impersonate your device on any network and decrypt traffic. For network controllers this file is particularly sensitive since it constitutes the private key for a certificate authority for the controller's networks.
• authtoken.secret: The secret token used to authenticate requests to the service's local JSON API. If it does not exist it is generated from a secure random source on service start. To use, send it in the "X-ZT1-Auth" header with HTTP requests to 127.0.0.1:<primary port>.
• devicemap: Remembers mappings of zt# interface numbers to ZeroTier networks so they'll persist across restarts. On some systems that support longer interface names that can encode the network ID (such as FreeBSD) this file may not be present.
• zerotier-one.pid: ZeroTier's PID. This file is deleted on normal shutdown.
• zerotier-one.port: ZeroTier's primary port, which is also where its JSON API is found at 127.0.0.1:<this port>. This file is created on startup and is read by zerotier-cli(1) to determine where it should find the control API.
• controller.db: If the ZeroTier One service is built with the network controller enabled, this file contains the controller's SQLite3 database.
• controller.db.backup: If the ZeroTier One service is built with the network controller enabled, it periodically backs up its controller.db database in this file (currently every 5 minutes if there have been changes). Since this file is not a currently in use SQLite3 database it's safer to back up without corruption. On new backups the file is rotated out rather than being rewritten in place.
• iddb.d/ (directory): Caches the public identity of every peer ZeroTier has spoken with in the last 60 days. This directory and its contents can be deleted, but this may result in slower connection initations since it will require that we go out and re-fetch full identities for peers we're speaking to.
• networks.d (directory): This caches network configurations and certificate information for networks you belong to. ZeroTier scans this directory for <network ID>.conf files on startup to recall its networks, so "touch"ing an empty <network ID>.conf file in this directory is a way of pre-configuring ZeroTier to join a specific network on startup without using the API. If the config file is empty ZeroTIer will just fetch it from the network's controller.