On 21/05/18 15:01, Phil Stracchino wrote: > On 05/21/18 09:57, Andrew Gallagher wrote: >> On 21/05/18 14:35, Phil Stracchino wrote: >>> What MySQL (from mid-5.7 on) does for tablespace encryption might be of >>> note here. MySQL uses a fixed table key for each encrypted InnoDB >>> table, but encrypts the table keys with a master key which is >>> periodically rotated. This allows regular rotation of the master >>> encryption key that protects all of the table keys, without having to >>> decrypt and re-encrypt possibly terabytes of table data. >> >> The equivalent in PGP is to replace the asymmetric encryption layer but >> keep the same symmetric session key. But this assumes that the symmetric >> encryption remains sound. In the efail scenaroio at least, we also >> probably want to replace the symmetric algorithm (3DES, CAST5). > > > However, that would probably be a one-time operation, not a mopnthly > rotation.
Sure, but can a rotator detect and handle the need for such one-time operations? It would be very easy to set up a key rotator, leave it running and then blithely assume that everything is Just Fine... -- Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
