It is sometimes convenient for a principal to be able to change its key on a schedule determined by the password expiration policy for that principal, rather than to rely on a network administrator to decide when this should be done. In this case, the application may call sec_key_mgmt_manage_key( ). This function invokes sec_key_mgmt_gen_rand_key( ) shortly before the current key is due to expire, updates both the local key storage and the registry database entry with the new key, and then calls sec_key_mgmt_garbage_collect( ) to discard any obsolete keys. This function runs indefinitely; it will never return during normal operation and so should be invoked from a thread dedicated to key management. It is not intended for use by server principals that share the same key.