[OpenAFS] Server encryption keys

Robert Banz banz@umbc.edu
Fri, 16 Mar 2007 15:31:16 -0400

Wouldn't a better key-update-transition plan be:

* create a new key
* stash it in the KeyFile in the next kvno slot
* wait until the servers pick it up
* update the afs key on the kdc to match the new value (make sure it  
matches the kvno that you used before)
* profit.

 From what I understand -- and please correct me if I'm wrong -- all  
of the various key versions in the key file should be valid(?) for  
transacting with AFS -- so in order to go service-outage-less, you  
need to make sure  the new key available to all of the servers before  
you go and make that the current AFS service key on the KDC?

Once your "longest" key expiration time is reached for your cell, you  
could safely remove the old key version from the KeyFile...


On Mar 16, 2007, at 2:43 PM, Russ Allbery wrote:

> A V Le Blanc <LeBlanc@mcc.ac.uk> writes:
>> On a test cell, I've been able to change the encryption key as  
>> follows:
>> I change the afs password using kadmin and export it to the  
>> KeyFile.  I
>> then have to kill the bos process and all server processes on all
>> servers, since my old admin tokens don't work any more, nor do new  
>> ones
>> when I reauthenticate.  After restarting bos, the other processes  
>> start
>> cleanly, and authentication works again.
> Once the KeyFile is distributed to all of your systems, the AFS server
> processes should pick up the change automatically (I think there's  
> some
> short checking interval).  There were some bugs in this in earlier
> versions of 1.4 on Solaris, but I'm fairly sure they were ironed out.