bjk's blog

May 1, 2010

pwmd and key files

Filed under: pwmd, security — bjk @ 2:07 pm

Just a note about keyfiles in pwmd. pwmd reads until theres a null byte or newline in the keyfile. This is badly documented and may confuse you if your wanting to use a binary keyfile since it may contain a newline or null byte before the end of file. If you really want to use a binary file as a keyfile then base 64 encode it. For example to use a random key and store it in a key file:

dd if=/dev/urandom bs=1 count=512 | openssl base64 -A > keyfile

This would generate a random 512 byte key and base64 encode it with openssl. The -A parameter means to keep the encoded data on one line which is what is needed.

In a later version of pwmd I’ll fix this to use an opaque data type and length.

Update: A fix is in the git repository and it’s a more serious problem than I thought. You should regenerate your key_file by doing:

echo DUMP | pwmc datafile > xml

Generate your new key file:

dd if=/dev/random of=new_key_file bs=1 count=SIZE

Where SIZE is the number of random bytes. Then import your existing datafile encrypting it with the new_key_file::

pwmd –import xml –key-file new_key_file -o new_data_file

Then replace your old key file and data file with the new ones (backup your old key file and data file first in case something goes wrong!).


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

%d bloggers like this: