.\" -*- mode: troff; coding: utf-8 -*- .\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ . ds C` "" . ds C' "" 'br\} .el\{\ . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "SHIB-SECKEYGEN.8 8" .TH SHIB-SECKEYGEN.8 8 2024-03-29 3.4.1 Shibboleth .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH NAME shib\-seckeygen \- Rotate the keys of a Versioned DataSealer .SH SYNOPSIS .IX Header "SYNOPSIS" \&\fBshib-seckeygen\fR [\fB\-o\fR \fIoutput-dir\fR] [\fB\-f\fR \fIfilename\fR] [\fB\-h\fR \fIhistory-length\fR] [\fB\-b\fR \fIkey-size\fR] [\fB\-u\fR \fIuser\fR] [\fB\-g\fR \fIgroup\fR] .SH DESCRIPTION .IX Header "DESCRIPTION" The \fIVersioned\fR type is designed for production use and obtains its key material from a simple flat file that allows a history of several keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily. .PP The flat file format consists of lines of the form :, where the name is typically a number for record keeping but can be any label, and the key is base64\-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations is the last line in the file. .PP This script provides a simple means of rotating the key, and the Service Provider software will typically detect when the file changes and reload it. .SH OPTIONS .IX Header "OPTIONS" .IP "\fB\-b\fR \fIkey-size\fR" 4 .IX Item "-b key-size" Number of random bits in the newly generated key. See above for the supported sizes. The default is 128. .IP "\fB\-g\fR \fIgroup\fR" 4 .IX Item "-g group" Change the group ownership of the key file to this group. The default is \f(CW\*(C`_shibd\*(C'\fR. .IP "\fB\-h\fR \fIhistory-length\fR" 4 .IX Item "-h history-length" The maximum number of keys to keep in the file. The default is 14. .IP "\fB\-f\fR \fIfilename\fR" 4 .IX Item "-f filename" The name of the file containing the keys in \fIoutput-dir\fR. The default is \f(CW\*(C`sealer.keys\*(C'\fR. .IP "\fB\-o\fR \fIoutput-dir\fR" 4 .IX Item "-o output-dir" The key file and a temporary key file are created in this directory. The default is \f(CW\*(C`/etc/shibboleth\*(C'\fR. .IP "\fB\-u\fR \fIuser\fR" 4 .IX Item "-u user" Change the ownership of the key file to this user. The default is \&\f(CW\*(C`_shibd\*(C'\fR. .SH FILES .IX Header "FILES" .IP \fI/etc/shibboleth/sealer.keys\fR 4 .IX Item "/etc/shibboleth/sealer.keys" The default key file rotated by this script. .SH AUTHOR .IX Header "AUTHOR" This manual page was written by Ferenc Wágner for Debian GNU/Linux using the text on https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer. .SH COPYRIGHT .IX Header "COPYRIGHT" Copyright 2018 Shibboleth Project. License: Creative Commons Attribution-ShareAlike 3.0.