KeyTab Management¶
Kerberos KeyTab Lifecycle Management — Import, Discovery, Cipher Compliance, and Monitoring
Document Version: 1.0.0
Last Updated: 2026-04-19
Since v1.0.38
1. Overview¶
MazeVault provides enterprise-grade Kerberos KeyTab lifecycle management. You can import, discover, and manage keytab files across your infrastructure with full audit trail, version history, and cipher compliance enforcement.
Key Capabilities¶
| Feature | Description |
|---|---|
| Import & Parse | Upload keytab binary files with automatic metadata extraction |
| Agent Discovery | Agents discover keytab files on managed hosts automatically |
| Cipher Policy | Organization-level cipher compliance with configurable enforcement |
| Version History | Immutable version records for every keytab update |
| Dashboard | Real-time overview of keytab inventory, compliance, and expiry |
| Orchestrator Mode | Metadata-only storage with external key offloading |
2. Importing KeyTabs¶
2.1 Manual Import¶
Navigate to KeyTab Management in the main menu to import a keytab file.
- Click Import KeyTab
- Provide a display name and optional description
- Upload the
.keytabfile (base64-encoded, max 10 MB) - Optionally assign to a project and set an expiration date
- Click Import
MazeVault automatically:
- Parses the MIT Kerberos v2 binary format
- Extracts principals, realms, key version numbers (KVNO), and encryption types
- Computes a SHA-256 fingerprint for deduplication
- Encrypts the keytab binary with AES-256-GCM before storage
- Evaluates cipher compliance against your organization's policy
Duplicate Detection
If a keytab with the same principal, realm, and project already exists, the import will be rejected. Update the existing keytab instead.
2.2 Import from Agent Discovery¶
Agents that discover keytab files on managed hosts report them to MazeVault. You can import discovered keytabs into your managed inventory:
- Navigate to KeyTab Management → Discovered
- Review the list of discovered keytabs (filtered by agent, state, or compliance)
- Click Import next to a discovered keytab
- Optionally assign a name, project, and expiration date
- The keytab moves from
discoveredtomanagedstate
3. Agent Discovery¶
MazeVault Agents automatically scan managed hosts for .keytab and .keystore files. Discovery reports include:
| Field | Description |
|---|---|
| Principal | Kerberos principal (e.g., HTTP/webserver@CORP.LOCAL) |
| Realm | Kerberos realm |
| File Path | Full filesystem path |
| File Permissions | Unix permissions (e.g., 0600) |
| File Owner | File owner (e.g., root) |
| Encryption Types | All encryption types present in the keytab |
| Fingerprint | SHA-256 hash for deduplication and change detection |
Discovery States¶
| State | Description |
|---|---|
discovered |
Found by agent, not yet managed |
ignored |
Manually marked as not relevant |
imported |
Imported into managed inventory |
managed |
Matched to an existing managed keytab |
Stale Detection
If a previously discovered keytab is not found in the latest agent scan, it is marked as stale. This indicates the file may have been deleted or moved on the host.
4. Cipher Policy¶
4.1 Overview¶
Organizations can define a cipher policy that specifies which Kerberos encryption types are allowed and which are deprecated. The policy is applied automatically when keytabs are imported or updated.
4.2 Default Policy¶
| Category | Encryption Types |
|---|---|
| Allowed | aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128, aes256-cts-hmac-sha384-192, camellia128-cts-cmac, camellia256-cts-cmac |
| Deprecated | des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1, rc4-hmac |
4.3 Enforcement Modes¶
| Mode | Behavior |
|---|---|
audit |
Report violations in compliance status but take no action |
warn |
Allow keytab operations but flag violations with warnings |
block |
Prevent import/update of keytabs containing only deprecated ciphers |
4.4 Compliance Status¶
Each keytab receives a compliance status:
| Status | Meaning |
|---|---|
| ✅ compliant | All encryption types are on the allowed list |
| ⚠️ warning | Contains both allowed and deprecated encryption types |
| 🔴 critical | Contains only deprecated encryption types |
To update your cipher policy, navigate to KeyTab Management → Cipher Policy.
5. Dashboard¶
The KeyTab Dashboard provides a real-time overview of your keytab inventory:
- Total / Active / Expired — Current inventory counts
- Expiring (30/90 days) — Keytabs approaching expiration
- Cipher Compliance — Breakdown by compliant / warning / critical
- Cipher Distribution — Chart showing encryption type usage across all keytabs
- Discovered Unmanaged — Count of keytabs found by agents but not yet imported
6. Version History¶
Every keytab update creates an immutable version record capturing:
- Version number
- Changed encryption types and KVNO
- SHA-256 hash of the keytab binary
- Who made the change and why (change reason)
- Timestamp
View version history from the keytab detail page under History tab.
7. Permissions¶
KeyTab management is controlled by the following RBAC permissions:
| Permission | Description | Granted To |
|---|---|---|
keytab:read |
View keytabs and dashboard | User, Project Admin, Admin, Auditor |
keytab:write |
Import, update keytabs | Project Admin, Admin |
keytab:delete |
Delete keytabs | Project Admin, Admin |
keytab:admin |
Manage cipher policy, batch compliance refresh | Admin |
See RBAC Roles for full permission details.
8. Orchestrator Mode¶
In Orchestrator Mode, keytab binary data is offloaded to an external key storage provider. Only metadata (principal, realm, encryption types, compliance status) is stored in MazeVault's database. This ensures that sensitive keytab material never resides on the MazeVault server.
| Field | Value |
|---|---|
storage_mode |
names_only |
offload_status |
local → pending → offloaded |