Changing the database master key
kenh at cmf.nrl.navy.mil
Thu Aug 31 13:36:31 EDT 2006
>My understanding from previous discussions was that it was not possible to
>change the database master key for an MIT Kerberos KDC due to various bits
>that are encrypted in the master key. However, I noticed that the
>kdb5_util man page seems to indicate that it can under dump:
> prompts for a new master key. This new master key will
> be used to re-encrypt the key data in the dumpfile. The
> key data in the database will not be changed.
> -new_mkey_file mkey_file
> the filename of a stash file. The master key in this
> stash file will be used to re-encrypt the key data in the
> dumpfile. The key data in the database will not be
The problem is that you can change the master key ... but only to another
key of the same enctype.
When I investigated this ... it turns out that while the enctype is
stored in the stash file, none of the code makes use of that. And
also, the history key enctype is derived from the master key enctype.
Neither of these are insurmountable problems ... but at that point, I
gave up. Maybe this is fixed in newer versions of MIT Kerberos ...
but I suspect when you try it, it will fail.
More information about the Kerberos