flcl_manual-flcl_commands-archive-rekey

REKEY

Synopsis

HELP:   Re-key (import and export keyset) of archives
TYPE:   OBJECT
SYNTAX: REKEY(NET.{},STORE/SAVE.{},ALLOW=NO/DATA-KEY-ZERO/MEMBER-KEY-ZERO,KEYMODE=ADD/REPLACE,IMPORT/DECRYPT.{},EXPORT/ENCRYPT.{},LOGGING.{},MESSAGE(),NORUN)

Description

The REKEY subcommand can be used to add or replace keysets of a FLAM archive. Each keyset assigns access rights to the credentials specified in the keyset. Directory, member and data keys are stored encrypted per keyset, or a subset of those keys, depending on the access rights granted. For example, if a keyset has no rights to access the encrypted data, the data key is unset for this keyset.

To perform rekeying, an existing keyset is imported and exported using a new encryption specification. The newly exported keyset is then either added to the list of valid keysets or it replaces all previously specified keysets, depending on the KEYMODE parameter. This creates an archive version with the new access rights applied. Please note that all previous archive versions can still be read using the previous credentials. If this is not what you want, you need to delete the old archive versions because each version exists independently and is immutable.

Rekeying is only possible when authenticating with a keyset for which no RIGHTS object has been specified, i.e. the keyset has full access to every type of data for which an encryption key is present in the keyset (DATA/MEMBER/DIRECTORY). By default, all three key types must exist in the keyset for rekeying. Keysets that don't have data access can be used for rekeying, but the ALLOW the parameter must be used to confirm this action. A keyset without data access cannot grant data access to the new keyset or replace the existing keysets.

To get syntax information, please use:

   flcl SYNTAX ARCHIVE.REKEY

To get help for a parameter, please use:

   flcl HELP ARCHIVE.REKEY.parameter[.parameter[...]]

To read the manual page for a parameter, please use:

   flcl MANPAGE ARCHIVE.REKEY.parameter[.parameter[...]]
      or
   flcl HELP ARCHIVE.REKEY.parameter[.parameter[...]] MAN

To generate the user manual for the command, please use:

   flcl GENDOCU ARCHIVE.REKEY=filename

Parameters can be defined via command line (directly or by parameter file) or via properties taken from the corresponding property file.

Arguments

NUMBER: ALLOW=NO/DATA-KEY-ZERO/MEMBER-KEY-ZERO - Allow re-keying without data or member key [NO]
- NO - Data access required for re-keying (no key is zero)
- DATA-KEY-ZERO - Allow only member and directory key for re-keying (no data access with this new version)
- MEMBER-KEY-ZERO - Allow only directory key for re-keying (no search and data access with this new version)
NUMBER: KEYMODE=ADD/REPLACE - Define re-keying mode [ADD]
- ADD - Add the recipient to the existing encrypted keysets
- REPLACE - Replace the exsiting keysets with the new recipiant
SWITCH: NORUN - Don't run the command, only show parsed parameter