edh-keygen/README.md

# 🔐 edh-keygen

**Automated Diffie-Hellman key generation and service management tool**  
Provides flexible configuration, systemd integration and clean RPM packaging.

This utility simplifies the generation and management of Diffie-Hellman (DH) parameters used for Perfect Forward Secrecy (PFS) in secure communication services such as Postfix, Dovecot, Ejabberd and others. It ensures that DH keys are regularly refreshed, properly permissioned and integrated with systemd for reliable automation.

Key features:

- 🔁 Automated generation of DH key files (e.g., dh2048.pem)
- ⚙️ Service reload hooks to apply new keys without downtime
- 🛠️ Easy configuration via edh-keygen.conf
- 📦 Distributed as an RPM package for clean system integration
- 🔐 Designed to enhance TLS security through PFS

---

## Outline

1. [Features](#features)
2. [Installation](#installation)
3. [Configuration](#configuration)
4. [Directory Layout](#directory-layout)
5. [CRON Job Example](#cron-job-example)
6. [License](#license)
7. [Authors](#authors)
8. [Project Home](#project-home)

---

## Features

- Generates DH parameters for secure services
- Supports service restarts for root and non-root systemd users
- Configurable per-service and global settings via config file
- Customizable sync paths, ownership, and permissions for DH keys
- Weekly cron job integration for automated key regeneration
- RPM packaging for easy deployment

## Installation

1. Install required packages

```bash
sudo dnf install git rpm-build rpmdevtools yum-utils -y
```

1. Clone the Repository

```bash
git clone https://dev.town-square.de/cb601/edh-keygen.git

cd edh-keygen
```

1. Build the RPM package

You can use the provided Makefile:

```bash
make clean
make rpm
```

1. Install the RPM package

```bash
sudo yum localinstall rpmbuild/RPMS/noarch/edh-keygen-1.0-1.noarch.rpm
```

1. Verify the Installation

```bash
ls -l /opt/edh-keygen
```

You should see:

```bash
-rwxr-x--- 1 root root ... edh-keygen.sh
-rw-r----- 1 root root ... edh-keygen.conf
```

Check RPM info:

```bash
rpm -qil edh-keygen
```

## Configuration

The configuration file (`edh-keygen.conf` or `edh-keygen.local`) supports both global path settings and per-service lines.
See the file itself for detailed documentation and examples.

## Directory Layout

| Path                             | Purpose                         |
|----------------------------------|---------------------------------|
| /opt/edh-keygen/[edh-keygen.sh](http://edh-keygen.sh)    | Main script                     |
| /opt/edh-keygen/edh-keygen.conf  | Overwritten config (always)     |
| /opt/edh-keygen/edh-keygen.local | User config (never overwritten) |
| /etc/cron.weekly/edh-keygen      | Cron job script (optional)      |

## CRON Job Example

To run the key generator weekly, you have two options:

### 1. Crontab

You can add a weekly cron job directly to the root user's crontab:

Open the root crontab for editing:

```bash
sudo crontab -e
```

Add the following line to run the script every Sunday at 3:30 AM:

```bash
30 3 * * 0 /opt/edh-keygen/edh-keygen.sh
```

*(Adjust the schedule as needed. This example runs the script weekly on Sunday.)*

### 2. System Cron Weekly Directory

Create a script as `/etc/cron.weekly/edh-keygen`:

```bash
#!/bin/sh

/opt/edh-keygen/edh-keygen.sh

exit 0
```

Ensure the script is executable:

```bash
chmod 750 /etc/cron.weekly/edh-keygen
```

## License

[MIT](https://dev.town-square.de/cb601/edh-keygen/src/branch/main/LICENSE)

## Authors

CB-601 - the open tec Elevator

- [Stephan Düsterhaupt](xmpp:me@jabber.stephanduesterhaupt.de)
- [Ivo Noack](xmpp:me@jabber.ivonoack.de) aka Insonic

## Project Home

Project Home: <https://dev.town-square.de/cb601/edh-keygen>