On March 14, 2017 6:32:13 PM EDT, Nico Williams <n...@cryptonector.com> wrote:
>On Tue, Mar 14, 2017 at 03:26:57PM -0700, Henry B (Hank) Hotz, CISSP
>> Probably, but encrypting the key material separately doesn’t seem
>like a bad thing.
>It's a waste of CPU cycles. It adds no real protection _by itself_
>unless you're keying in the master key on daemon startup.
it provides some additional protection against disclosure of the keys while in
transit (i.e. during propagation). it doesn't protect against copy/paste
attacks or do much of anything for a database at rest