Encrypting Kerberos SNC keys for secure storage on NAM Probe

Use the kpaencrypt utility to encrypt Kerberos keys stored on the disk by the NAM Probe.

The kpaencrypt utility reads a key from the disk, asks the administrator to define a password to for the encryption, and then stores the key in an encrypted form.


The target location where you store the encrypted key can be different than the source location from where the key is read. This means that if – for security reasons – you do not want to copy the un-encrypted key onto the NAM Probe, but want to supply it on an external removable drive, you can supply the full path to that device and never have to copy the file onto the system. Alternatively, to erase the copied file, you should use the shred utility.

The kpaencrypt utility is a binary file accessible through the path/usr/adlex/rtm/bin/kpaencrypt

To execute the command, log in as user root and then execute it using the following syntax:

kpaencrypt sourcefile destinationfile

where both parameters can contain full file paths. You will then be prompted to enter the password to be used for the encryption. For example:

 [root@amd-35 keys]# kpaencrypt ./02.keytab ./02.keytab.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

After you have encrypted the key, you can securely delete the source file using the shred command. This is a Linux command that allows secure deletion so that the information stored in the deleted file is not simply un-referenced by the file system but is actually overwritten. This makes it impossible for any disk recovery tool to simply undelete file. Use the -fuz options to the shred command to hide the shredding operation by overwriting the file with 0s and to actually delete the file name form the directory listing while overriding any read protection. For example:

 [root@amd-35 keys]# shred -fuz ./02.keytab

Secure deletion is not a necessary step in the process of encrypting the keys. This is a security measure which you should follow if you do not want the un-encrypted file to remain on the system. Remember that this command will remove the file without any means of recovery of the removed information.

After you have successfully encrypted the key, you must make the NAM Probe aware of it by listing it in the keylist file and loading it to NAM Probe memory at runtime. For more information, see Listing Kerberos SNC keys in NAM Probe configuration.