sechkey Utility Change the Symmetric Encryption Method
The sechkey utility changes the symmetric encryption method for programs. When you change the symmetric encryption method, sechkey decrypts each encrypted password in the database then encrypts each password with the new encryption method.
capamsc141
The sechkey utility changes the symmetric encryption method for
Privileged Access Manager
programs. When you change the symmetric encryption method, sechkey decrypts each encrypted password in the Privileged Access Manager
database then encrypts each password with the new encryption method. If
Privileged Access Manager
is operating in FIPS-only mode, you cannot change the symmetric encryption method. Privileged Access Manager
operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from changing the encryption method to a non-FIPS compliant method.You must stop
Privileged Access Manager
before you use sechkey to change the symmetric encryption method. You must have the ADMIN attribute to use sechkey.To avoid communication problems, use the same encryption method on all computers that run
Privileged Access Manager
components.This utility has the following format:
sechkey -m -sym {aes128 | aes192 | aes256 | des | tripledes | default} [-s registry_path]
- -mSpecifies to change the encryption method.
- -sregistry_path(Windows) Specifies the registry root path where the encryption key forPrivileged Access Managerprograms is stored. This switch is only valid for third-party programs that use thePrivileged Access ManagerSDK.
- -symSpecifies the new encryption method to use.
- aes128Specifies to use the following encryption method:(Windows): aes128enc.dll(UNIX): libaes128.so
- aes192Specifies to use the following encryption method:(Windows): aes192enc.dll(UNIX): libaes192.so
- aes256Specifies to use the following encryption method:(Windows): aes256enc.dll(UNIX): libaes256.so
- desSpecifies to use the following encryption method:(Windows): desenc.dll(UNIX): libdes.so
- tripledesSpecifies to use the following encryption method:(Windows): tripledesenc.dll(UNIX): libtripledes.so
- defaultSpecifies to use the following proprietaryPrivileged Access Managerencryption method:(Windows): defenc.dll(UNIX): libscramble.so
Example: Change the Symmetric Encryption Method to AES256
The following command changes the symmetric encryption method to AES256:
sechkey -m -sym aes256