Skip to main content

Managing User-Key Passphrases

This section describes the Key Manager actions used for managing user-key passphrases stored in the Key Manager system.

  • Storing passphrases.

  • Forgetting passphrases.

You can manually store the passphrase of a passphrase-protected key in Key Manager. Storing the passphrase in Key Manager provides the following advantages:

  • When you Renew passphrase-protected keys, Key Manager can keep the passphrases, automatically setting the stored passphrase to the renewed keys.

  • Key Manager administrators can review stored passphrases, using the Show Passphrase action.

Private keys can have the following passphrase statuses in Key Manager:

  • No passphrase: the private key does not have a passphrase.

  • Not stored: private key's passphrase is not given in Key Manager, and, thus, is not stored.

  • Stored (verified): the passphrase given in Key Manager was checked during a full scan, and verified to be the same as the one related to the key residing in the host.

  • Stored (not verified): the passphrase given in Key Manager is not yet checked in a full scan. After a scan its status will be either Stored (verified), or Stored (incorrect).

  • Stored (incorrect): the passphrase given in Key Manager is checked during a full scan, and it differs from the passphrase related to the key residing in the host.

Passphrases are managed on the User keys→Private keys page, using the actions Provide Passphrase, Set Passphrase and Forget Passphrase.

When a passphrase is provided to a private key, the key's passphrase status is set to Stored (not verified). To verify the passphrase, run a full scan on the target host.

note

Passphrases can only be verified by a shell-based full scan; script-based scans do not verify private key passphrases.

For private keys with a verified passphrase or no passphrase, you can change the passphrase using the Set Passphrase action. The new passphrase is set and verified immediately.

To store private-key passphrases via the command-line client use the provide-private-key- passphrase command, similarly to the following:

$ ssh-mgr-client provide-private-key-passphrase \
-i 99 -d 'passphrase=example_passphrase'

Similarly, to forget private-key passphrases via the command-line client use the forget-private-key- passphrase command, similarly to the following:

$ ssh-mgr-client forget-private-key-passphrase -i 99

For more information about the passphrase-management command provided by the command-line client, see provide-private-key-passphrase and forget-private-key-passphrase respectivly.

note

Providing a passphrase only stores the passphrase to Key Manager. The actual passphrase of the selected private keys is not changed when you provide a passhprase to Key Manager.

It is primarily up to the Key Manager administrator to ensure that the provided passphrases are correct. Key Manager does not prevent incorrect passphrases from being entered into the system.

Also, Key Manager verifies the validity of the provided passphrase only after the next full scan of the host. For these reasons we recommend you to occasionally check for private keys with incorrect passphrases. The validity of the passphrase can be checked from the Passphrase Status column of each private key. You can also perform this check using the command-line client, with a command similar to the following:

$ ssh-mgr-client list-private-keys -F "passphrase_status=stored_incorrect"

If you renew a passphrase-protected private key without specifying a new passphrase, and if the correct passphrase of the key is not stored in Key Manager, such keys are replaced with non- passphrase-protected keys during renewal.