sechkey Utility Change a Symmetric Encryption Key
The sechkey utility changes the symmetric encryption key for programs.
capamsc141
The sechkey utility changes the
Privileged Access Manager
symmetric encryption key for Privileged Access Manager
programs.You can run sechkey in interactive or non-interactive mode. When you run sechkey in interactive mode, sechkey prompts you to enter the old and new encryption keys.
You must stop
Privileged Access Manager
before you use sechkey to change a symmetric encryption key. You must have the ADMIN attribute to use sechkey.To avoid communication problems, use the same encryption key on all computers that run
Privileged Access Manager
components.This utility has the following format in interactive mode:
sechkey
This utility has the following format in non-interactive mode:
sechkey {oldkey | -d} {newkey | -d} [-s registry_path]
sechkey has some additional switches that are only valid on UNIX computers. This utility has the following format for UNIX computers:
sechkey {oldkey | -d} {newkey | -d | -n} [-nopmd | -r hostname] sechkey -k newkey sechkey -c
- -c(UNIX) Clears the selogrd encryption key. The default key is saved in the key file.Note:The saved key itself is encrypted with the default encryption method.
- -dSpecifies the defaultPrivileged Access Managerkey.
- -k(UNIX) Specifies the selogrd encryption key that you want to change to. The encryption key is saved in a new file or updated in the old one.
- -n(UNIX) Lists the programs that are using the current key, without changing to a different key.
- newkeySpecifies the new encryption key.
- -nopmd(UNIX) Changes the key without updating the Policy Model update file with the new key.
- oldkeySpecifies the (current) encryption key that you want to change.
- -rhostname(UNIX) Specifies the name of the remote computer whose encryption key you want to change.To use this option,Privileged Access Managermust be running on both the local and remote computers. This parameter does not actually change the key; rather, it saves information so that the next time you startPrivileged Access Manageron the remote computer (using seload -c), the key is changed.
- -sregistry_path(Windows) Specifies the registry root path where the encryption key forPrivileged Access Managerprograms is stored. This switch is only valid for third-party programs that use thePrivileged Access ManagerSDK.
Example: Check If a UNIX Computer Uses the Default Encryption Key
The following command checks if a UNIX computer uses the default
Privileged Access Manager
encryption key:sechkey -d -n