Removing Server Encryption Keys

You can periodically remove old keys from the /usr/afs/etc/KeyFile file to keep it to a reasonable size. To avoid disturbing cell functioning, do not remove an old key until all tokens sealed with the key and held by users or client processes have expired. After adding a new key, wait to remove old keys at least as long as the longest token lifetime you use in your cell. For Authentication Database user entries created under AFS version 3.1 or higher, the default token lifetime is 25 hours; for entries created under AFS version 3.0, it is 100 hours.

There is no command for removing the key from the afs entry in the Authentication Database, because the key field in that entry must never be empty. Use the kas setpassword command to replace the afs key, but only as part of the complete procedure detailed in To add a new server encryption key.

Never remove from the KeyFile file the key that is currently in the afs entry in the Authentication Database. AFS server processes become unable to decrypt the tickets that clients present to them.

To remove a key from the KeyFile file

  1. Verify that you are authenticated as a user listed in the /usr/afs/etc/UserList file. If necessary, issue the bos listusers command, which is fully described in To display the users in the UserList file.

       % bos listusers <machine name>
    
  2. Issue the bos listkeys command to display the key version number of each key you want to remove. The output also reveals whether it has been at least 25 hours since a new key was placed in the KeyFile file. For complete instructions for the bos listkeys command, see To display the KeyFile file.

       % bos listkeys <machine name>
    
  3. Issue the kas examine command to verify that the key currently in the Authentication Database's afs entry does not have the same key version number as any of the keys you are removing from the KeyFile file. For detailed instructions for the kas examine command, see To display the afs key from the Authentication Database.

       % kas examine afs  -admin <admin principal to use for authentication>  
       Administrator's (admin_user) password: <admin_password>
    
  4. Issue the bos removekey command to remove one or more server encryption keys from the KeyFile file.

    If you use the Update Server to distribute the contents of the system control machine's /usr/afs/etc directory, substitute the system control machine for the machine name argument. (If you have forgotten which machine is the system control machine, see To locate the system control machine.)

       % bos removekey <machine name> <key version number>
    

    where

    removek

    Is the shortest acceptable abbreviation of removekey.

    machine name

    Names the cell's system control machine if you are using the Update Server, or each server machine in turn if you are not.

    key version number

    Specifies the key version number of each key to remove.