Is a keytab file encrypted?

Greg Hudson ghudson at
Tue Jul 18 14:12:49 EDT 2017

On 07/18/2017 12:48 PM, pratyush parimal wrote:
> When I export a principal's key to a keytab file using the following
> command:
> ktadd -k keytabfile service/host at REALM
> (1) Does the keytabfile contain the key in encrypted form or as plaintext?

The keytab file contains the actual keys, unencrypted.

> (2) Is it possible to export the key in encrypted form? If so, then how
> does the service application open the encrypted keytab?

The keytab file does not have any way to represent encrypted keys, and
the kadmin protocol has no facility to export encrypted keys.  One
could, in principle, design an out-of-band system which used
kadmin.local to create a keytab, encrypt the file, transmit the
encrypted kyetab file to the server, and then decrypt the file on the
server (into a memory filesystem, perhaps) before running the server
application, but I've never heard of anyone doing that.

More information about the Kerberos mailing list