NAME¶

shib-seckeygen - Rotate the keys of a Versioned DataSealer

SYNOPSIS¶

shib-seckeygen [-o output-dir] [-f filename] [-h history-length] [-b key-size] [-u user] [-g group]

DESCRIPTION¶

The Versioned <DataSealer> type is designed for production use and obtains its key material from a simple flat file that allows a history of several keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily.

The flat file format consists of lines of the form <name>:<key>, where the name is typically a number for record keeping but can be any label, and the key is base64-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations is the last line in the file.

This script provides a simple means of rotating the key, and the Service Provider software will typically detect when the file changes and reload it.

OPTIONS¶

-b key-size: Number of random bits in the newly generated key. See above for the supported sizes. The default is 128.
-g group: Change the group ownership of the key file to this group. The default is "_shibd".
-h history-length: The maximum number of keys to keep in the file. The default is 14.
-f filename: The name of the file containing the keys in output-dir. The default is "sealer.keys".
-o output-dir: The key file and a temporary key file are created in this directory. The default is "/etc/shibboleth".
-u user: Change the ownership of the key file to this user. The default is "_shibd".

FILES¶

/etc/shibboleth/sealer.keys: The default key file rotated by this script.

AUTHOR¶

This manual page was written by Ferenc Wágner for Debian GNU/Linux using the text on https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer.

COPYRIGHT¶

2021-05-04

3.2.2

Source file:	shib-seckeygen.8.en.gz (from shibboleth-sp-utils 3.2.2+dfsg1-1~bpo10+1)
Source last updated:	2021-05-04T12:26:47Z
Converted to HTML:	2021-05-16T03:11:55Z