Provided by: shibboleth-sp-utils_3.0.4+dfsg1-1_amd64 bug


       shib-seckeygen - Rotate the keys of a Versioned DataSealer


       shib-seckeygen [-o output-dir] [-f filename]
           [-h history-length] [-b key-size]
           [-u user] [-g group]


       The Versioned <DataSealer> type is designed for production use and obtains its key
       material from a simple flat file that allows a history of several keys to be kept to
       decrypt older data and continuously rotate the encryption key on a regular basis, usually

       The flat file format consists of lines of the form <name>:<key>, where the name is
       typically a number for record keeping but can be any label, and the key is base64-encoded.
       The key length dictates which AES-GCM algorithm is used, among the supported key sizes
       (128,192,256). The "default" key used for new operations is the last line in the file.

       This script provides a simple means of rotating the key, and the Service Provider software
       will typically detect when the file changes and reload it.


       -b key-size
           Number of random bits in the newly generated key.  See above for the supported sizes.
           The default is 128.

       -g group
           Change the group ownership of the key file to this group.  The default is "_shibd".

       -h history-length
           The maximum number of keys to keep in the file.  The default is 14.

       -f filename
           The name of the file containing the keys in output-dir.  The default is "sealer.keys".

       -o output-dir
           The key file and a temporary key file are created in this directory.  The default is

       -u user
           Change the ownership of the key file to this user.  The default is "_shibd".


           The default key file rotated by this script.


       This manual page was written by Ferenc W√°gner for Debian GNU/Linux using the text on


       Copyright 2018 Shibboleth Project.  License: Creative Commons Attribution-ShareAlike 3.0.