On Tue, Mar 14, 2017 at 06:41:06PM -0400, Jeffrey Hutzelman wrote: > On March 14, 2017 6:32:13 PM EDT, Nico Williams <[email protected]> wrote: > >On Tue, Mar 14, 2017 at 03:26:57PM -0700, Henry B (Hank) Hotz, CISSP > >wrote: > >> Probably, but encrypting the key material separately doesn’t seem > >like a bad thing. > > > >It's a waste of CPU cycles. It adds no real protection _by itself_ > >unless you're keying in the master key on daemon startup. > > it provides some additional protection against disclosure of the keys > while in transit (i.e. during propagation). it doesn't protect against
Sure, you can propagate to a slave that doesn't have a master key. > copy/paste attacks or do much of anything for a database at rest Correct.
