KeyFile - Defines AFS server encryption keys


The KeyFile file defines the server encryption keys that the AFS server processes running on the machine use to decrypt the tickets presented by clients during the mutual authentication process. AFS server processes perform privileged actions only for clients that possess a ticket encrypted with one of the keys from the file. The file must reside in the /usr/afs/etc directory on every server machine. For more detailed information on mutual authentication and server encryption keys, see the IBM AFS Administration Guide.

Each key has a corresponding a key version number that distinguishes it from the other keys. The tickets that clients present are also marked with a key version number to tell the server process which key to use to decrypt it. The KeyFile file must always include a key with the same key version number and contents as the key currently listed for the afs entry in the Authentication Database.

The KeyFile file is in binary format, so always use the appropriate commands from the bos command suite to administer it:

In cells that use the Update Server to distribute the contents of the /usr/afs/etc directory, it is customary to edit only the copy of the file stored on the system control machine. Otherwise, edit the file on each server machine individually.


bos_addkey(8), bos_listkeys(8), bos_removekey(8), kas_setpassword(8), upclient(8), upserver(8)

IBM AFS Administration Guide


IBM Corporation 2000. <> All Rights Reserved.

This documentation is covered by the IBM Public License Version 1.0. It was converted from HTML to POD by software written by Chas Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.