On March 14, 2017 6:32:13 PM EDT, Nico Williams <[email protected]> wrote: >On Tue, Mar 14, 2017 at 03:26:57PM -0700, Henry B (Hank) Hotz, CISSP >wrote: >> Probably, but encrypting the key material separately doesn’t seem >like a bad thing. > >It's a waste of CPU cycles. It adds no real protection _by itself_ >unless you're keying in the master key on daemon startup.
it provides some additional protection against disclosure of the keys while in transit (i.e. during propagation). it doesn't protect against copy/paste attacks or do much of anything for a database at rest
