On Tue, Mar 14, 2017 at 06:41:06PM -0400, Jeffrey Hutzelman wrote:
> On March 14, 2017 6:32:13 PM EDT, Nico Williams <n...@cryptonector.com> wrote:
> >On Tue, Mar 14, 2017 at 03:26:57PM -0700, Henry B (Hank) Hotz, CISSP
> >> Probably, but encrypting the key material separately doesn’t seem
> >like a bad thing.
> >It's a waste of CPU cycles. It adds no real protection _by itself_
> >unless you're keying in the master key on daemon startup.
> it provides some additional protection against disclosure of the keys
> while in transit (i.e. during propagation). it doesn't protect against
Sure, you can propagate to a slave that doesn't have a master key.
> copy/paste attacks or do much of anything for a database at rest