If you'd look up references to it, you might find that it's mainly for keytab things. EncryptionKey needs to be persisted in KDC database and can be exported. When exported, the kvno or key version is important, keytab consumers like application servers would use it to find the appropriate key considering keytype/enctype, kvno/version, and principal. Note when every time a key is exported, the key version will be increased by 1.
It's the key along with the kvno that needs to be persisted in database/backend, but not the encrypted data. -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Saturday, January 09, 2016 8:29 AM To: [email protected] Subject: EncyptionKey structure an KVNO Hi, the EncryptionKey class contains a field kvno. I have no idea why we should have such a field, and why and for what it is used ? The KVNO is described as : " A tag associated with encrypted data identifies which key was used for encryption when a long-lived key associated with a principal changes over time. It is used during the transition to a new key so that the party decrypting a message can tell whether the data was encrypted with the old or the new key. " We have a field name KVNO in the EncryptedData class already...
