sechkey Utility Change the Symmetric Encryption Method

The sechkey utility changes the symmetric encryption method for  programs. When you change the symmetric encryption method, sechkey decrypts each encrypted password in the  database then encrypts each password with the new encryption method.
capamsc141
The sechkey utility changes the symmetric encryption method for 
PAM Server Control
programs. When you change the symmetric encryption method, sechkey decrypts each encrypted password in the 
PAM Server Control
database then encrypts each password with the new encryption method.
If 
PAM Server Control
is operating in FIPS-only mode, you cannot change the symmetric encryption method. 
PAM Server Control
operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from changing the encryption method to a non-FIPS compliant method.
You must stop 
PAM Server Control
before you use sechkey to change the symmetric encryption method. You must have the ADMIN attribute to use sechkey.
To avoid communication problems, use the same encryption method on all computers that run 
PAM Server Control
components.
This utility has the following format:
sechkey -m -sym {aes128 | aes192 | aes256 | des | tripledes | default} [-s registry_path]
  • -m
    Specifies to change the encryption method.
  • -s
    registry_path
    (Windows) Specifies the registry root path where the encryption key for 
    PAM Server Control
    programs is stored. This switch is only valid for third-party programs that use the 
    PAM Server Control
    SDK.
  • -sym
    Specifies the new encryption method to use.
    • aes128
      Specifies to use the following encryption method:
      (Windows): aes128enc.dll
      (UNIX): libaes128.so
    • aes192
      Specifies to use the following encryption method:
      (Windows): aes192enc.dll
      (UNIX): libaes192.so
    • aes256
      Specifies to use the following encryption method:
      (Windows): aes256enc.dll
      (UNIX): libaes256.so
    • des
      Specifies to use the following encryption method:
      (Windows): desenc.dll
      (UNIX): libdes.so
    • tripledes
      Specifies to use the following encryption method:
      (Windows): tripledesenc.dll
      (UNIX): libtripledes.so
    • default
      Specifies to use the following proprietary 
      PAM Server Control
      encryption method:
      (Windows): defenc.dll
      (UNIX): libscramble.so
Example: Change the Symmetric Encryption Method to AES256
The following command changes the symmetric encryption method to AES256:
sechkey -m -sym aes256