Changing the database master key

[Russ Allbery]

Hello all,

My understanding from previous discussions was that it was not possible to
change the database master key for an MIT Kerberos KDC due to various bits
that are encrypted in the master key.  However, I noticed that the
kdb5_util man page seems to indicate that it can under dump:

    -mkey_convert
           prompts  for  a new master key.  This new master key will
           be used to re-encrypt the key data in the dumpfile.   The
           key data in the database will not be changed.

    -new_mkey_file mkey_file
           the  filename  of  a  stash file.  The master key in this
           stash file will be used to re-encrypt the key data in the
           dumpfile.   The  key  data  in  the  database will not be
           changed.

Those options make it sound like I could use a technique like:

 1. Create a new KDC database in a new location with an AES master key.
 2. Dump the old database using -new_mkey_file pointing at the new stash.
 3. Load the database dump into the new empty database.

and thereby change the database master key.  Is that correct?  Does this
fail for some reason?  Has anyone done this?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>