Provided by: openswan_2.6.23+dfsg-1ubuntu1_i386 bug


       ipsec newhostkey - generate a new raw RSA authentication key for a host


       ipsec newhostkey [[--quiet] | [--verbose]] [--bits bits]
             [--hostname hostname] --output filename


       newhostkey outputs (into filename, which can be ´-´ for standard
       output) an RSA private key suitable for this host, in
       /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet
       option per default.

       The --output option is mandatory. The specified filename is created
       under umask 077 if nonexistent; if it already exists and is non-empty,
       a warning message about that is sent to standard error, and the output
       is appended to the file.

       The --quiet option suppresses both the rsasigkey narrative and the
       existing-file warning message.

       The --bits option specifies the number of bits in the key; the current
       default is 2192 and we do not recommend use of anything shorter unless
       unusual constraints demand it.

       The --hostname option is passed through to rsasigkey to tell it what
       host name to label the output with (via its --hostname option).

       The output format is that of rsasigkey, with bracketing added to
       complete the ipsec.secrets format. In the usual case, where
       ipsec.secrets contains only the hostânewhostkey is sufficient as a
       complete ipsec.secrets file.


       /dev/random, /dev/urandom


       ipsec_rsasigkey(8), ipsec.secrets(5)


       Written for the Linux FreeS/WAN project <> by
       Henry Spencer.


       As with rsasigkey, the run time is difficult to predict, since
       depletion of the systemâipsec_rsasigkey(8) for some typical performance

       A higher-level tool which could handle the clerical details of changing
       to a new key would be helpful.

       The requirement for --output is a blemish, but private keys are
       extremely sensitive information and unusual precautions seem justified.