Re: [cf-dev] Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme
What does the migration plan for this feature look like? Is the migration from key types a non-breaking change, or will it require all new deployments and keys?
From:[hidden email] <[hidden email]>
On Behalf Of ebastian via Lists.Cloudfoundry.Org Sent: Thursday, October 3, 2019 2:59 PM To:[hidden email] Subject: [cf-dev] Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme
The Credhub team is proposing a change to the current encryption scheme.
Changing the current encryption scheme from Data Encryption Key (DEK) to Key Encryption Key (KEK) would allow for:
increased Credhub security posture
simplification of Credhub encryption key rotation
integration with third-party KMS vendors with a data size limit