[cf-dev] Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme

ebastian

Hi everyone,


The Credhub team is proposing a change to the current encryption scheme. 

Changing the current encryption scheme from Data Encryption Key (DEK) to Key Encryption Key (KEK) would allow for:

  • increased Credhub security posture 

  • simplification of Credhub encryption key rotation

  • integration with third-party KMS vendors with a data size limit


Details of the change can be found here.


Please feel free to share your thoughts and concerns and reach out with any questions!


Thanks,

The Credhub Team

 
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8734) | [hidden email] | [hidden email] | Mute This Topic | New Topic


Reminder that all communication on this mailing list is subject to the Cloud Foundry Foundation's code of conduct, which can be found here: https://www.cloudfoundry.org/code-of-conduct/
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]
_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme

Mike Lloyd-2

Credhub team,

 

What does the migration plan for this feature look like? Is the migration from key types a non-breaking change, or will it require all new deployments and keys?

 

Thanks,

 

Mike.

 

From: [hidden email] <[hidden email]> On Behalf Of ebastian via Lists.Cloudfoundry.Org
Sent: Thursday, October 3, 2019 2:59 PM
To: [hidden email]
Subject: [cf-dev] Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme

 

Hi everyone,

 

The Credhub team is proposing a change to the current encryption scheme. 

Changing the current encryption scheme from Data Encryption Key (DEK) to Key Encryption Key (KEK) would allow for:

  •  
  • increased Credhub security posture 
  •  
  •  
  • simplification of Credhub encryption key rotation
  •  
  •  
  • integration with third-party KMS vendors with a data size limit
  •  

 

Details of the change can be found here.

 

Please feel free to share your thoughts and concerns and reach out with any questions!

 

Thanks,

The Credhub Team

 

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#8736) | [hidden email] | [hidden email] | Mute This Topic | New Topic


Reminder that all communication on this mailing list is subject to the Cloud Foundry Foundation's code of conduct, which can be found here: https://www.cloudfoundry.org/code-of-conduct/
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]
_._,_._,_