Destroying the Kerberos Database

The kdb_destroy utility securely removes the principal database. This utility runs on the primary and secondary security servers. If you run this utility using command-line options, it prompts you with a confirmation message and then removes the default principal database, /krb5/prinicpal. To confirm the deletion, type yes otherwise, kdb_destroy returns the message Database not destroyed.

This tool destroys only the principal.* files. You must handle the other files that store the principal information separately. To destroy admin_acl_file, manually delete it. To destroy the key table files, use the ktutil tool.

To ensure that no one reads the previous contents of the database files, kdb_destroy writes 0s (zeros) to the original files before it deletes them.

The general syntax for destroying the Kerberos database is as follows:

kdb_destroy [-f keyfile]

The kdb_destroy utility uses the following options:

-f keyfile

Destroys an alternative key file named keyfile.

-e enctype

Specifies the encryption and checksum mechanism of the primary principal. Following are the encryption types that are supported:

3DES or 5: DES-CBC-MD5 (default)
DES-MD5 or 3: DES-CBC-MD5
DES-CRC or 1: DES-CBC-CRC




	NOTE: The default, `DES3-CBC-MD5`, will be set as the encryption type if you do not specify any of the encryption types previously mentioned.

Following is an example output of the kdb_destroy utility:

shell% kdb_destroy
keyfile: /opt/krb5/.k5.DCETST3.FINANCE.BAMBI.COM
Deleting KDC database stored in ‘/opt/krb5/principal’, are you sure?
(type ‘yes’ to confirm)?
Database destroyed!

Destroying the Kerberos Database

Technical documentation

» Table of Contents

» Glossary

» Index