[OpenAFS] Server encryption keys
Dr A V Le Blanc
Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Fri, 16 Mar 2007 10:34:34 +0000
The old Transarc documents recommend changing your server encryption
key every month. We've done it about 9 times in 16 years, and did
it last before we migrated to Kerberos V. The explanation of how
to change the encryption key assumes that you are using kaserver
and kas, so it's out of date anyway.
On a test cell, I've been able to change the encryption key as
follows: I change the afs password using kadmin and export it
to the KeyFile. I then have to kill the bos process and all
server processes on all servers, since my old admin tokens
don't work any more, nor do new ones when I reauthenticate.
After restarting bos, the other processes start cleanly, and
authentication works again.
Obviously this procedure is not appropriate for a production