Regenerating Firmware Keys
To regenerate encryption and hashing keys, use the -E and -H options respectively. The existing encryption key or HMAC key would be invalidated and replaced. You can regenerate these keys separately or together by specifying both options in the single command.
The HMAC type affects the behavior of the -H key regeneration option. If you regenerate the keys without specifying the HMAC type, existing hash keys are destroyed, and only the hash key for the current HMAC type configuration for that service or client is generated.
Consider the following command use cases:
-
$ installadm set-entity -HIf the current HMAC type is SHA1, the command destroys current keys and generates SHA1 keys.
-
$ installadm set-entity -f hmac-sha256 -HIf the current HMAC type is SHA1, the command destroys current keys and generates SHA256 keys.
Note that the -H option is for key regeneration only. An error would occur if you use the option while no keys actually exist.
Note:
If you have SPARC WAN boot clients, make sure that every time you regenerate firmware keys, you also update the encryption and hash keys on those clients accordingly. Otherwise, those clients cannot use secure installation.