In order to prevent service interruptions, the key management API does not immediately discard keys that have been replaced; instead, it maintains the keys, with a version number and key-type identifier, in the local key storage. However, after a key has been out of use for longer than the maximum life of a ticket to the principal, it is no longer possible that any client of that principal has a valid ticket encoded with that key. At this time, the key storage may have its "garbage'' collected.
The sec_key_mgmt_garbage_collect( ) routine collects garbage in the local key storage by deleting all keys older than the maximum ticket lifetime for the cell. The garbage_collect_time argument, which is returned by sec_key_mgmt_change_key( ), specifies when key-storage garbage is to be collected.