The file is encrypted with a secret provided by the signer's administrator; normally that secret is entered once when authentication services are started by svc/auth on the host acting as signer (see svc(8)). The file should also be readable and writable only by the user identity that runs the signing service (ie, mode 600, see chmod(1)). Entries are usually accessed only through the name space provided by keyfs(4), which decrypts the file into internal data structures given the administrative key, and makes each entry visible as a separate directory. Using that name space, entries are added and updated by an administrator using changelogin(8), a user can change a secret using passwd(1) via keysrv(4), and it is accessed for signing by logind(8) to obtain the secret used to verify the identity of a client requesting a certificate (typically via security-login(2)).