Bug 1247817

Summary: [DOC] Workaround for changing vault password
Product: Red Hat Enterprise Linux 7 Reporter: Endi Sukma Dewata <edewata>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.2CC: ftweedal
Target Milestone: rcKeywords: Documentation, EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-16 07:32:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1249091    
Bug Blocks:    

Description Endi Sukma Dewata 2015-07-29 01:13:52 UTC 
Currently changing the password of a symmetric vault or the keys of an asymmetric vault has to be done manually. See http://www.freeipa.org/page/V4/Password_Vault_1.0#Changing_vault_password.2Fkeys.

To change the password of a symmetric vault:
1. Retrieve the secret from the vault:
   ipa vault-retrieve SymmetricVault --out secret.txt

2. Remove the vault:
   ipa vault-del SymmetricVault

3. Create a new symmetric vault with a new password:
   ipa vault-add SymmetricVault --type symmetric

4. Re-archive the secret into the new vault:
   ipa vault-archive SymmetricVault --in secret.txt

5. Delete the temporary file:
   rm secret.txt

To change the keys of an asymmetric vault:
1. Retrieve the secret from the vault:
   ipa vault-retrieve AsymmetricVault --out secret.txt --private-key-file private.pem

2. Remove the vault:
   ipa vault-del AsymmetricVault

3. Create a new asymmetric vault with new keys:
   ipa vault-add AsymmetricVault --type asymmetric --public-key-file public.pem

4. Re-archive the secret into the new vault:
   ipa vault-archive AsymmetricVault --in secret.txt

5. Delete the temporary file:
   rm secret.txt
Comment 1 Aneta Šteflová Petrová 2017-02-21 15:17:53 UTC 
Comment#0 explains the procedures very nicely. To resolve this request, we could add the procedures to chapter "Storing Authentication Secrets with Vaults".
Comment 5 Fraser Tweedale 2019-03-29 08:20:38 UTC 
Changing vault password is supported (for quite a while I think) via `ipa vault-add` command.

% ipa help vault-mod
Usage: ipa [global-options] vault-mod NAME [options]

Modify a vault.
Options:
  -h, --help            show this help message and exit
  --desc=STR            Vault description
  --type=['standard', 'symmetric', 'asymmetric']
                        Vault type
  --salt=BYTES          Vault salt
  --public-key=BYTES    Vault public key
  --setattr=STR         Set an attribute to a name/value pair. Format is
                        attr=value. For multi-valued attributes, the command
                        replaces the values already present.
  --addattr=STR         Add an attribute/value pair. Format is attr=value. The
                        attribute must be part of the schema.
  --delattr=STR         Delete an attribute/value pair. The option will be
                        evaluated last, after all sets and adds.
  --rights              Display the access rights of this entry (requires
                        --all). See ipa man page for details.
  --service=PRINCIPAL   Service name of the service vault
  --shared              Shared vault
  --user=STR            Username of the user vault
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
  --no-members          Suppress processing of membership attributes.
  --change-password     Change password
  --old-password=STR    Old vault password
  --old-password-file=STR
                        File containing the old vault password
  --new-password=STR    New vault password
  --new-password-file=STR
                        File containing the new vault password
  --private-key=BYTES   Old vault private key
  --private-key-file=STR
                        File containing the old vault private key
  --public-key-file=STR
                        File containing the new vault public key
Comment 11 Marc Muehlfeld 2019-04-16 07:32:41 UTC 
The update is now available on the Customer Portal.