Product Feature - Key Rotation Using Acceptor Only Keys

Key rotation has proven to be difficult in the past because there is a risk of a single point of failure if a shared key starts being used for new connections before all of the parties have received the key. AuriStorFS v0.189 addresses these risks by introducing the concept of acceptor-only keys. An accepter-only key cannot be used to initiate new connections. Therefore they can be safely distributed to servers without risk that the key might be used before the accepting server has received its copy of the key.

The pre-existing "asetkey add" command adds a key to KeyFileExt that can be used for both initating and accepting connections. The new "asetkey add-acceptor" command adds a key to KeyFileExt that can only be used when accepting connections. This makes it safe to add new keys without the risk that a service restart prior to the distribution of the updated KeyFileExt to all systems might result in the premature use of the new key to secure new connections.

After the KeyFileExt with the acceptor-only has been deployed to all AuriStorFS servers and the '/etc/yfs/server/yfs-server.conf' file has been touched or the servers restarted, then the "asetkey promote-acceptor" command can be executed to convert the acceptor-only key to a key that can be used when initiating connections.

The key rotation pattern therefore becomes:

  1. execute asetkey add-acceptor to add a new key to KeyFileExt
  2. on each server
    1. deploy updated KeyFileExt to each server
    2. 'touch /etc/yfs/server/yfs-server.conf'
  3. execute asetkey promote-acceptor to update KeyFileExt
  4. on each server
    1. deploy updated KeyFileExt to each server
    2. 'touch /etc/yfs/server/yfs-server.conf'
  5. execute asetkey delete to remove the old key from KeyFileExt
  6. on each server
    1. deploy updated KeyFileExt to each server
    2. 'touch /etc/yfs/server/yfs-server.conf'

Note that this procedure only works for yfs-rxgk and rxkad_k5 keys. It will not work for rxkad keys (56-bit DES).

This procedure is not applicable to rotating the keys in the /etc/yfs/server/vl.keytab and /etc/yfs/server/bos.keytab Kerberos keytabs. All keys stored in the Kerberos keytab files are inherently acceptor-only. The procedure for rotating Kerberos service principal keys in the Kerberos KDC is implementation specific.