# 🔐 edh-keygen **Automated Diffie-Hellman key generation and service management tool** Provides flexible configuration, systemd integration and clean RPM packaging. This utility simplifies the generation and management of Diffie-Hellman (DH) parameters used for Perfect Forward Secrecy (PFS) in secure communication services such as Postfix, Dovecot, Ejabberd and others. It ensures that DH keys are regularly refreshed, properly permissioned and integrated with systemd for reliable automation. Key features: - 🔁 Automated generation of DH key files (e.g., dh2048.pem) - ⚙️ Service reload hooks to apply new keys without downtime - 🛠️ Easy configuration via edh-keygen.conf - 📦 Distributed as an RPM package for clean system integration - 🔐 Designed to enhance TLS security through PFS --- ## Outline 1. [Features](#features) 2. [Installation](#installation) 3. [Configuration](#configuration) 4. [Directory Layout](#directory-layout) 5. [CRON Job Example](#cron-job-example) 6. [License](#license) 7. [Authors](#authors) 8. [Project Home](#project-home) --- ## Features - Generates DH parameters for secure services - Supports service restarts for root and non-root systemd users - Configurable per-service and global settings via config file - Customizable sync paths, ownership, and permissions for DH keys - Weekly cron job integration for automated key regeneration - RPM packaging for easy deployment ## Installation 1. Install required packages ```bash sudo dnf install git rpm-build rpmdevtools yum-utils -y ``` 2. Clone the Repository ```bash git clone https://dev.town-square.de/cb601/edh-keygen.git cd edh-keygen ``` 3. Build the RPM package You can use the provided Makefile: ```bash make clean make rpm ``` 4. Install the RPM package ```bash sudo yum localinstall rpmbuild/RPMS/noarch/edh-keygen-1.0-1.noarch.rpm ``` 5. Verify the Installation ```bash ls -l /opt/edh-keygen ``` You should see: ```bash -rwxr-x--- 1 root root ... edh-keygen.sh -rw-r----- 1 root root ... edh-keygen.conf ``` Check RPM info: ```bash rpm -qil edh-keygen ``` ## Configuration The configuration file (`edh-keygen.conf` or `edh-keygen.local`) supports both global path settings and per-service lines. See the file itself for detailed documentation and examples. ## Directory Layout | Path | Purpose | |----------------------------------|---------------------------------| | /opt/edh-keygen/[edh-keygen.sh](http://edh-keygen.sh) | Main script | | /opt/edh-keygen/edh-keygen.conf | Overwritten config (always) | | /opt/edh-keygen/edh-keygen.local | User config (never overwritten) | | /etc/cron.weekly/edh-keygen | Cron job script (optional) | ## CRON Job Example To run the key generator weekly, you have two options: ### 1. Crontab You can add a weekly cron job directly to the root user's crontab: Open the root crontab for editing: ```bash sudo crontab -e ``` Add the following line to run the script every Sunday at 3:30 AM: ```bash 30 3 * * 0 /opt/edh-keygen/edh-keygen.sh ``` *(Adjust the schedule as needed. This example runs the script weekly on Sunday.)* ### 2. System Cron Weekly Directory Create a script as `/etc/cron.weekly/edh-keygen`: ```bash #!/bin/sh /opt/edh-keygen/edh-keygen.sh exit 0 ``` Ensure the script is executable: ```bash chmod 750 /etc/cron.weekly/edh-keygen ``` ## License [MIT](https://dev.town-square.de/cb601/edh-keygen/src/branch/main/LICENSE) ## Authors CB-601 - the open tec Elevator - [Stephan Düsterhaupt](xmpp:me@jabber.stephanduesterhaupt.de) - [Ivo Noack](xmpp:me@jabber.ivonoack.de) aka Insonic ## Project Home Project Home: