Stashing the Master Key

The kdb_stash utility stores the master key, the encrypted master password, to a disk file. This utility runs on the primary and secondary security servers. Use the kdb_stash utility to store the master key to a stash file. You must specify the same key type and master password that you specified when you created the database.




	NOTE: If you have used the kdb_create -s utility to create your database, you already have a stash file.

Storing the password in a disk file may allow an intruder to gain access to the principal database. Secure the file carefully.

The general syntax for this is:

kdb_stash [-e enctype] [-f keyfile] [-M mkeyname] [-r REALM]

The kdb_stash utility uses the following options:

-e enctype

Specifies the encryption type to be used to generate the master key. The type you specify must be the same as the type you have specified while creating the database. The three encryption types supported are:

DES-CRC or 1: DES-CBC-CRC
DES-MD5 or 3: DES-CBC-MD5
3DES or 5: DES-CBC-MD5 (default)

-f keyfile

Stashes the key in an alternate key file named keyfile. If you do not use the -f switch, the default is .k5.REALM.

-M mkeyname

Specifies an alternate primary principal name. The default primary principal name is K/M@REALM.

-r REALM

Stashes the principal database key for the realm REALM. By default, kdb_stash uses the realm defined in the krb.conf file. If the file does not exist, the command uses the uppercase equivalent of the domain name.

Given below is an example of using the kdb_stash:

shell% kdb_stast -f <filename> Enter password: <password> Re-enter password for verification: <password>

Stashing the Master Key

Technical documentation

» Table of Contents

» Glossary

» Index