Man Linux: Main Page and Category List


       ipsec_newhostkey - generate a new raw RSA authentication key for a host


       ipsec newhostkey [[--quiet] | [--verbose]] [--bits bits]
             [--hostname hostname] --output filename


       newhostkey outputs (into filename, which can be ´-´ for standard
       output) an RSA private key suitable for this host, in
       /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet
       option per default.

       The --output option is mandatory. The specified filename is created
       under umask 077 if nonexistent; if it already exists and is non-empty,
       a warning message about that is sent to standard error, and the output
       is appended to the file.

       The --quiet option suppresses both the rsasigkey narrative and the
       existing-file warning message.

       The --bits option specifies the number of bits in the key; the current
       default is 2192 and we do not recommend use of anything shorter unless
       unusual constraints demand it.

       The --hostname option is passed through to rsasigkey to tell it what
       host name to label the output with (via its --hostname option).

       The output format is that of rsasigkey, with bracketing added to
       complete the ipsec.secrets format. In the usual case, where
       ipsec.secrets contains only the host’s own private key, the output of
       newhostkey is sufficient as a complete ipsec.secrets file.


       /dev/random, /dev/urandom


       ipsec_rsasigkey(8), ipsec.secrets(5)


       Written for the Linux FreeS/WAN project <> by
       Henry Spencer.


       As with rsasigkey, the run time is difficult to predict, since
       depletion of the system’s randomness pool can cause arbitrarily long
       waits for random bits, and the prime-number searches can also take
       unpre dictable (and potentially large) amounts of CPU time. See
       ipsec_rsasigkey(8) for some typical performance numbers.

       A higher-level tool which could handle the clerical details of changing
       to a new key would be helpful.

       The requirement for --output is a blemish, but private keys are
       extremely sensitive information and unusual precautions seem justified.