questions regarding master key enctype migration

Will Fiveash William.Fiveash at
Tue Mar 11 19:38:37 EDT 2008

On Tue, Mar 11, 2008 at 05:44:18PM -0500, Will Fiveash wrote:

> After a enough time had passed to ensure that the above was completely
> successful and all KDCs were using the same current mkey a new kdb5_util
> command to purge old mkeys from the K/M princ would be then run on a
> master KDC.  (Whether this command can determine if a mkey is still
> required to decrypt a princ record in a reasonable amount of time may be
> an issue.  Ken, any idea here?  Anyway, I'm going to assume it is
> feasible for either a db2 or LDAP KDB.)  This updated K/M princ would

I should rephrase my question about purging unneeded mkeys.  I'm
wondering if a kdb5_util "purge old mkeys" command can determine if a
mkey is still needed or not in a reasonable amount of time.  I'm
assuming that all princ entries would have their mkvno examined to
determine which mkno's were still in use and this could take a while
with a large LDAP KDB.


Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list