1IPSEC_RANBITS(8)                                              IPSEC_RANBITS(8)
2
3
4

NAME

6       ipsec newhostkey - generate a new raw RSA authentication key for a host
7

SYNOPSIS

9       ipsec newhostkey [--quiet | --verbose] [--bits bits]
10             [--hostname hostname] --output filename
11
12

DESCRIPTION

14       newhostkey outputs (into filename, which can be '-' for  standard  out‐
15       put)  an  RSA private key suitable for this host, in /etc/ipsec.secrets
16       format (see ipsec.secrets(5)) using the --quiet option per default.
17
18
19       The --output option is mandatory. The specified filename is created un‐
20       der  umask 077 if nonexistent; if it already exists and is non-empty, a
21       warning message about that is sent to standard error, and the output is
22       appended to the file.
23
24
25       The  --quiet option suppresses both the rsasigkey narrative and the ex‐
26       isting-file warning message.
27
28
29       The --bits option specifies the number of bits in the key; the  current
30       default  is 2192 and we do not recommend use of anything shorter unless
31       unusual constraints demand it.
32
33
34       The --hostname option is passed through to rsasigkey to  tell  it  what
35       host name to label the output with (via its --hostname option).
36
37
38       The  output  format is that of rsasigkey, with bracketing added to com‐
39       plete the ipsec.secrets format. In the usual case, where  ipsec.secrets
40       contains only the host’s own private key, the output of newhostkey is
41       sufficient as a complete ipsec.secrets file.
42
43

FILES

45       /dev/random, /dev/urandom
46
47

SEE ALSO

49       ipsec_rsasigkey(8), ipsec.secrets(5)
50
51

HISTORY

53       Written  for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org:
54       http://www.freeswan.org> by Henry Spencer.
55
56

BUGS

58       As  with  rsasigkey, the run time is difficult to predict, since deple‐
59       tion of the system’s randomness pool can cause arbitrarily long waits
60       for  random  bits,  and  the  prime-number searches can also take unpre
61       dictable  (and  potentially   large)   amounts   of   CPU   time.   See
62       ipsec_rsasigkey(8) for some typical performance numbers.
63
64
65       A higher-level tool which could handle the clerical details of changing
66       to a new key would be helpful.
67
68
69       The requirement for --output is a blemish, but  private  keys  are  ex‐
70       tremely sensitive information and unusual precautions seem justified.
71
72
73
74
75                                                              IPSEC_RANBITS(8)
Impressum