Install Now
shib-seckeygen - Rotate the keys of a Versioned DataSealer
Contents
Copyright
Copyright 2018 Shibboleth Project. License: Creative Commons Attribution-ShareAlike 3.0.
3.5.0 2025-01-12 SHIB-SECKEYGEN.8(8)
Description
The Versioned <DataSealer> type is designed for production use and obtains its key material from a simple
flat file that allows a history of several keys to be kept to decrypt older data and continuously rotate
the encryption key on a regular basis, usually daily.
The flat file format consists of lines of the form <name>:<key>, where the name is typically a number for
record keeping but can be any label, and the key is base64-encoded. The key length dictates which AES-GCM
algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations
is the last line in the file.
This script provides a simple means of rotating the key, and the Service Provider software will typically
detect when the file changes and reload it.
Files
/etc/shibboleth/sealer.keys
The default key file rotated by this script.
Name
shib-seckeygen - Rotate the keys of a Versioned DataSealer
Options
-bkey-size
Number of random bits in the newly generated key. See above for the supported sizes. The default is
128.
-ggroup
Change the group ownership of the key file to this group. The default is "_shibd".
-hhistory-length
The maximum number of keys to keep in the file. The default is 14.
-ffilename
The name of the file containing the keys in output-dir. The default is "sealer.keys".
-ooutput-dir
The key file and a temporary key file are created in this directory. The default is
"/etc/shibboleth".
-uuser
Change the ownership of the key file to this user. The default is "_shibd".
Synopsis
shib-seckeygen [-ooutput-dir] [-ffilename]
[-hhistory-length] [-bkey-size]
[-uuser] [-ggroup]