I need to create a new realm, and I'm wondering if anyone has a
recommendation about which enctype to use for the master key.

The kdb5_util program seems to still default to des-cbc-crc when creating a
database (I'm running MIT Kerberos 1.4.1), and I'm not sure if there's a
good reason for this. I'd like to use one of the new, stronger enctypes
like aes256, but I'm not sure what the pros and cons are.

I suppose that all of the slave KDCs would have to be upgraded to a version
of Kerberos that supports whatever master key enctype I choose, but I don't
anticipate a problem there. Are there client issues? Cross-realm trust
issues? Something else? I don't plan to run anything but MIT Kerberos for
a KDC, but if anyone knows of any gotchas with specific enctypes/vendors,
that might be useful information. Thanks.

Phil Tracy
Information Systems Architecture
Northwestern University Information Technology

Kerberos mailing list Kerberos@mit.edu