Re: Re-encrypt on change of master key

On Tue, Mar 14, 2017 at 03:54:36PM -0700, Adam Lewenberg wrote: > If you use a master key and you back up all your files _except_ the master > key to some remote location, wouldn't that suffice to protect the database > in that remote location? No. The problem is that the master key is not used

Re: Re-encrypt on change of master key

On 3/14/2017 12:54 PM, Nico Williams wrote: On Tue, Mar 14, 2017 at 12:32:10PM -0700, Russ Allbery wrote: "Henry B (Hank) Hotz, CISSP" writes: Shut down all daemons on the master. hprop --decrypt --stdout | hpropd --stdin Restart all daemons. You probably also want

Re: Re-encrypt on change of master key

On March 14, 2017 6:32:13 PM EDT, Nico Williams wrote: >On Tue, Mar 14, 2017 at 03:26:57PM -0700, Henry B (Hank) Hotz, CISSP >wrote: >> Probably, but encrypting the key material separately doesn’t seem >like a bad thing. > >It's a waste of CPU cycles. It adds no real

Re: Re-encrypt on change of master key

"Henry B (Hank) Hotz, CISSP" writes: > Shut down all daemons on the master. > hprop --decrypt --stdout | hpropd --stdin > Restart all daemons. You probably also want to shut down incremental propagation while you do this. I think this should force a full resync when the

Re: Re-encrypt on change of master key

https://www.mail-archive.com/heimdal-discuss@sics.se/msg00334.html There’s also a long, historically-interesting, thread on migrating from MIT that includes an example. > On Mar 14, 2017, at 11:51 AM, Henry B (Hank) Hotz, CISSP > wrote: > >> On Mar 14, 2017, at 9:43 AM, Adam

Re: Re-encrypt on change of master key

How’s the contract coming? > On Mar 14, 2017, at 9:43 AM, Adam Lewenberg wrote: > > How do I re-encrypt the entries of the Heimdal KDC database if I want to > change its master key? Shut down all daemons on the master. hprop --decrypt --stdout | hpropd --stdin Restart