shib-seckeygen - Rotate the keys of a Versioned DataSealer

shib-seckeygen [-o output-dir] [-f filename]
[-h history-length] [-b key-size]
[-u user] [-g group]

The Versioned <DataSealer> type is designed for production use and obtains its key material from a simple flat file that allows a history of several keys to be kept to decrypt older data and continuously rotate the encryption key on a regular basis, usually daily.

The flat file format consists of lines of the form <name>:<key>, where the name is typically a number for record keeping but can be any label, and the key is base64-encoded. The key length dictates which AES-GCM algorithm is used, among the supported key sizes (128,192,256). The "default" key used for new operations is the last line in the file.

This script provides a simple means of rotating the key, and the Service Provider software will typically detect when the file changes and reload it.

Number of random bits in the newly generated key. See above for the supported sizes. The default is 128.
Change the group ownership of the key file to this group. The default is "_shibd".
The maximum number of keys to keep in the file. The default is 14.
The name of the file containing the keys in output-dir. The default is "sealer.keys".
The key file and a temporary key file are created in this directory. The default is "/etc/shibboleth".
Change the ownership of the key file to this user. The default is "_shibd".

The default key file rotated by this script.

This manual page was written by Ferenc Wágner for Debian GNU/Linux using the text on

Copyright 2018 Shibboleth Project. License: Creative Commons Attribution-ShareAlike 3.0.

2025-01-12 3.5.0