'\" t
.\"     Title: tangd-rotate-keys
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 12/26/2023
.\"    Manual: \ \&
.\"    Source: \ \&
.\"  Language: English
.\"
.TH "TANGD\-ROTATE\-KEYS" "1" "12/26/2023" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
tangd-rotate-keys \- Perform rotation of tang keys
.SH "SYNOPSIS"
.sp
\fBtangd\-rotate\-keys\fR [\-h] [\-v] \-d <KEYDIR>
.SH "DESCRIPTION"
.sp
in order to preserve the security of the system over the long run, you need to periodically rotate your keys\&. The precise interval at which you should rotate depends upon your application, key sizes and institutional policy\&. For some common recommendations, see: https://www\&.keylength\&.com\&.
.sp
\fBtangd\-rotate\-keys\fR generates new keys in the key database directory given by the \fB\-d\fR option\&. This is typically \fB/var/db/tang\fR\&. It also rename the old keys to have a leading \&. in order to hide them from advertisement\&.
.sp
Tang will immediately pick up all changes\&. No restart is required\&.
.sp
At this point, new client bindings will pick up the new keys and old clients can continue to utilize the old keys\&. Once you are sure that all the old clients have been migrated to use the new keys, you can remove the old keys\&. Be aware that removing the old keys while clients are still using them can result in data loss\&. You have been warned\&.
.SH "OPTIONS"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-d\fR
<KEYDIR>: The directory with the keys, e\&.g\&. /var/db/tang
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-h\fR: Display the usage information
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-v\fR: Verbose\&. Display additional info on keys created/rotated
.RE
.SH "AUTHOR"
.sp
Sergio Correia <scorreia@redhat\&.com>
.SH "SEE ALSO"
.sp
\fBtang\fR(8)