Previous Topic: sechkey UtilityNext Topic: sechkey Utility—Change the Symmetric Encryption Method


sechkey Utility—Change a Symmetric Encryption Key

The sechkey utility changes the CA ControlMinder symmetric encryption key for CA ControlMinder programs.

You can run sechkey in interactive or non-interactive mode. When you run sechkey in interactive mode, sechkey prompts you to enter the old and new encryption keys.

You must stop CA ControlMinder before you use sechkey to change a symmetric encryption key. You must have the ADMIN attribute to use sechkey.

Important! To avoid communication problems, use the same encryption key on all computers that run CA ControlMinder components.

This utility has the following format in interactive mode:

sechkey

This utility has the following format in non-interactive mode:

sechkey {oldkey | -d} {newkey | -d} [-s registry_path]

sechkey has some additional switches that are only valid on UNIX computers. This utility has the following format for UNIX computers:

sechkey {oldkey | ‑d} {newkey | ‑d | -n} [‑nopmd | ‑r hostname]
sechkey -k newkey
sechkey -c
‑c

(UNIX) Clears the selogrd encryption key. The default key is saved in the key file.

Note: The saved key itself is encrypted with the default encryption method.

-d

Specifies the default CA ControlMinder key.

‑k

(UNIX) Specifies the selogrd encryption key that you want to change to. The encryption key is saved in a new file or updated in the old one.

-n

(UNIX) Lists the programs that are using the current key, without changing to a different key.

newkey

Specifies the new encryption key.

‑nopmd

(UNIX) Changes the key without updating the Policy Model update file with the new key.

oldkey

Specifies the (current) encryption key that you want to change.

‑r hostname

(UNIX) Specifies the name of the remote computer whose encryption key you want to change.

To use this option, CA ControlMinder must be running on both the local and remote computers. This parameter does not actually change the key; rather, it saves information so that the next time you start CA ControlMinder on the remote computer (using seload ‑c), the key is changed.

-s registry_path

(Windows) Specifies the registry root path where the encryption key for CA ControlMinder programs is stored. This switch is only valid for third-party programs that use the CA ControlMinder SDK.

Example: Check If a UNIX Computer Uses the Default Encryption Key

The following command checks if a UNIX computer uses the default CA ControlMinder encryption key:

sechkey -d -n

More information:

Change the Symmetric Encryption Key