.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .if !\nF .nr F 0 .if \nF>0 \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} .\} .\" ======================================================================== .\" .IX Title "SHIB-SECKEYGEN.8 8" .TH SHIB-SECKEYGEN.8 8 "2019-04-01" "3.0.4" "Shibboleth" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" shib\-seckeygen \- Rotate the keys of a Versioned DataSealer .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBshib-seckeygen\fR [\fB\-o\fR \fIoutput-dir\fR] [\fB\-f\fR \fIfilename\fR] [\fB\-h\fR \fIhistory-length\fR] [\fB\-b\fR \fIkey-size\fR] [\fB\-u\fR \fIuser\fR] [\fB\-g\fR \fIgroup\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fIVersioned\fR type is designed for production use and obtains its key material from a simple flat file that allows a history of several keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily. .PP The flat file format consists of lines of the form :, where the name is typically a number for record keeping but can be any label, and the key is base64\-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The \*(L"default\*(R" key used for new operations is the last line in the file. .PP This script provides a simple means of rotating the key, and the Service Provider software will typically detect when the file changes and reload it. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-b\fR \fIkey-size\fR" 4 .IX Item "-b key-size" Number of random bits in the newly generated key. See above for the supported sizes. The default is 128. .IP "\fB\-g\fR \fIgroup\fR" 4 .IX Item "-g group" Change the group ownership of the key file to this group. The default is \f(CW\*(C`_shibd\*(C'\fR. .IP "\fB\-h\fR \fIhistory-length\fR" 4 .IX Item "-h history-length" The maximum number of keys to keep in the file. The default is 14. .IP "\fB\-f\fR \fIfilename\fR" 4 .IX Item "-f filename" The name of the file containing the keys in \fIoutput-dir\fR. The default is \f(CW\*(C`sealer.keys\*(C'\fR. .IP "\fB\-o\fR \fIoutput-dir\fR" 4 .IX Item "-o output-dir" The key file and a temporary key file are created in this directory. The default is \f(CW\*(C`/etc/shibboleth\*(C'\fR. .IP "\fB\-u\fR \fIuser\fR" 4 .IX Item "-u user" Change the ownership of the key file to this user. The default is \&\f(CW\*(C`_shibd\*(C'\fR. .SH "FILES" .IX Header "FILES" .IP "\fI/etc/shibboleth/sealer.keys\fR" 4 .IX Item "/etc/shibboleth/sealer.keys" The default key file rotated by this script. .SH "AUTHOR" .IX Header "AUTHOR" This manual page was written by Ferenc Wágner for Debian GNU/Linux using the text on https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018 Shibboleth Project. License: Creative Commons Attribution-ShareAlike 3.0.