Is a keytab file encrypted?

pratyush parimal pratyush.parimal at
Tue Jul 18 22:20:12 EDT 2017

Ah, I get it. It's much clearer now. Thanks guys!

On Jul 18, 2017 10:15 PM, "Russ Allbery" <eagle at> wrote:

> Greg Hudson <ghudson at> writes:
> > On 07/18/2017 12:48 PM, pratyush parimal wrote:
> >> (2) Is it possible to export the key in encrypted form? If so, then how
> >> does the service application open the encrypted keytab?
> > The keytab file does not have any way to represent encrypted keys, and
> > the kadmin protocol has no facility to export encrypted keys.  One
> > could, in principle, design an out-of-band system which used
> > kadmin.local to create a keytab, encrypt the file, transmit the
> > encrypted kyetab file to the server, and then decrypt the file on the
> > server (into a memory filesystem, perhaps) before running the server
> > application, but I've never heard of anyone doing that.
> You have kind of a chicken and an egg problem, since in a typical Kerberos
> environment the keytab *is* the core identity keys for an application.  If
> it's encrypted, then you need some other unencrypted keys that *really*
> represent the application, at which point why not use those keys for
> Kerberos directly?
> That said, if you had a private key in a TPM or some other sort of
> tamper-resistent hardware, I could see wanting to hand out Kerberos
> keytabs encrypted to the public key of the server.  But you'd have to
> build the service to do key issuance that way yourself.  (It wouldn't be
> horribly hard to build if you'd already done the work to build out the PKI
> and its TPM component.)
> But, even in that case, it's not clear to me what the keytab is then doing
> for you versus just using the PKI and using PKINIT to get Kerberos
> tickets.  There are probably some practical uses for introducing the extra
> layer of complexity, but it's not obviously necessary.
> --
> Russ Allbery (eagle at              <>

More information about the Kerberos mailing list