A key is needed to encrypt files and to generate the MAC of a file. The key should be derived from a random pool of numbers. To create the key, you have three options:
If your site has a random number generator, use the generator.
If you want to generate the key and store it, see How to Generate a Symmetric Key by Using the pktool Command.
Otherwise, use this procedure. This procedure requires that you provide the key size in bites. In contrast, the pktool command determines the correct key size according to the algorithm that you specify.
Determine the key length that your algorithm requires.
List the available algorithms.
% encrypt -l Algorithm Keysize: Min Max (bits) ------------------------------------------ aes 128 128 arcfour 8 128 des 64 64 3des 192 192 % mac -l Algorithm Keysize: Min Max (bits) ------------------------------------------ des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 sha256_hmac 8 512 sha384_hmac 8 1024 sha512_hmac 8 1024 |
Determine the key length in bytes to pass to the dd command.
Divide the minimum and maximum key sizes by 8. When the minimum and maximum key sizes are different, intermediate key sizes are possible. For example, the value 8, 16, or 64 can be passed to the dd command for the sha1_hmac and md5_hmac functions.
Generate the symmetric key.
% dd if=/dev/urandom of=keyfile bs=n count=n |
Is the input file. For a random key, use the /dev/urandom file.
Is the output file that holds the generated key.
Is the key size in bytes. For the length in bytes, divide the key length in bits by 8.
Is the count of the input blocks. The number for n should be 1.
Store your key in a protected directory.
The key file should not be readable by anyone but the user.
% chmod 400 keyfile |
In the following example, a secret key for the AES algorithm is created. The key is also stored for later decryption. AES mechanisms use a 128-bit key. The key is expressed as 16 bytes in the dd command.
% ls -al ~/keyf drwx------ 2 jdoe staff 512 May 3 11:32 ./ % dd if=/dev/urandom of=$HOME/keyf/05.07.aes16 bs=16 count=1 % chmod 400 ~/keyf/05.07.aes16 |
In the following example, a secret key for the DES algorithm is created. The key is also stored for later decryption. DES mechanisms use a 64-bit key. The key is expressed as 8 bytes in the dd command.
% dd if=/dev/urandom of=$HOME/keyf/05.07.des8 bs=8 count=1 % chmod 400 ~/keyf/05.07.des8 |
In the following example, a secret key for the 3DES algorithm is created. The key is also stored for later decryption. 3DES mechanisms use a 192-bit key. The key is expressed as 24 bytes in the dd command.
% dd if=/dev/urandom of=$HOME/keyf/05.07.3des.24 bs=24 count=1 % chmod 400 ~/keyf/05.07.3des.24 |
In the following example, a secret key for the MD5 algorithm is created. The key is also stored for later decryption. The key is expressed as 64 bytes in the dd command.
% dd if=/dev/urandom of=$HOME/keyf/05.07.mack64 bs=64 count=1 % chmod 400 ~/keyf/05.07.mack64 |