|
|
Before you can administer the key database, the key management daemon must be running. Typically, the daemon is started by default when you boot the system.
When you administer the key database--whether to add a new shared key to the keys file, delete a key that is no longer needed, or modify an existing key--the command you enter calls the key management daemon, which performs the requested operation. If you are supplying a new shared key, for example, the daemon takes the shared key from the cryptkey(1bnu) command and stores it in the keys file. The daemon then uses the master key to encrypt the keys in the keys file. Every time the daemon modifies the keys file, it re-encrypts the keys--using the master key.
Both the key management daemon and the master key are managed using keymaster(1Mbnu), as described in the following sections.
The key management daemon is started automatically through an initialization script whenever you boot the system; however, you can do this only if there is no master key.
If your system needs to be rebooted frequently, and you are unable to attend the system during a reboot, you may want to store the keys file in unencrypted form. To store the keys file in unencrypted form, you need to change the master key to NULL.
In certain circumstances--if there is a problem with the
keys
file, for example--you may want to stop the
daemon manually.
Enter the keymaster command as follows to stop the daemon:
keymaster -k
No key is required to stop the daemon; however, the operation fails if you are not the privileged user (the owner of the keys file).
To re-start the daemon, enter the keymaster command.
When cr1 is first installed and the system is booted, an initialization script runs the keymaster command, which starts the key management daemon. Because the keys file is empty at this point, the master key is NULL.
To create the master key,
enter the following command:
keymaster -n -c
keymaster prompts you for the key, which can be any alphanumeric string between zero and eight characters in length.
When you enter the key, the keymaster command does not echo it on the screen. Instead, keymaster prompts you to enter the key a second time. If the first and second entries match, the daemon stores the master key. If the entries do not match, the operation fails and the master key remains unchanged.
Once you create a master key, the daemon takes it and stores it. (For security reasons, it stores the key in cleartext in its process address space, not in a file. An encrypted copy of the master key is stored in the keys file.) The daemon then uses the master key to encrypt the shared keys in the keys file and to re-encrypt them every time the file is modified.
To change a master key once you have created it, enter
keymaster -c
The system then prompts you to enter the old master key. Once you enter the old master key, it prompts you to enter and then re-enter the new master key. If the entries do not match, the operation fails and the master key remains unchanged.