Skip to main content
Version: Axidian Privilege 2.10

Changing the Encryption Key of the PAM Database

If the encryption key is compromised, it is possible to rotate the database master key without stopping PAM.

To do so, use the Key Rotator utility.

WindowsPAM\MISC\KeyRotator\Pam.Tools.KeyRotator.exe
Linux/etc/axidian/axidian-pam/tools/key-rotator.sh

Before you run the utility, you need to edit the Encryption section in the configuration file of the Core component.

By default, this section contains only the Primary subsection which specifies the current encryption key and other database settings.

To rotate the database encryption key, follow these steps:

  1. Create a Secondary subsection in the Encryption section.
  2. Move settings from Primary to Secondary.
  3. Enter the new encryption key in the Primary section.
  4. Save your configuration file.
  5. Run the Key Rotator utility.
  6. Wait for the utility to complete and remove the Secondary section from the configuration file.