Encryption key rotation

I’m currently working on a project to convert a CF8 app to Lucee, and I ran
into the issue of encryption key rotation. I’ve not been able to find a
great deal in the way on best practices for key rotation +
Coldfusion/Railo/Lucee. Does anyone in the community have some suggestions
for coming up with a good key storage/key rotation plan for Lucee?

I’m currently working on a project to convert a CF8 app to Lucee, and I
ran into the issue of encryption key rotation.

For what purpose do you want to use the keys? Are we talking about
symmetric keys or asymmetric keys?

JochemOn Sat, Mar 28, 2015 at 1:32 AM, Jason Brookins wrote:


Jochem van Dieten
http://jochem.vandieten.net/

Are you looking into key rotation due to PCI compliance issue? I am
interested in how you handle this issue.

Andrew PenhorwoodOn Friday, March 27, 2015 at 8:32:24 PM UTC-4, Jason Brookins wrote:

I’m currently working on a project to convert a CF8 app to Lucee, and I
ran into the issue of encryption key rotation. I’ve not been able to find
a great deal in the way on best practices for key rotation +
Coldfusion/Railo/Lucee. Does anyone in the community have some suggestions
for coming up with a good key storage/key rotation plan for Lucee?

Symmetric keys; a recent penetration test complained about the use of a
static symmetric key that is used for the encryption of some database index
values,

If I take that literally that doesn’t make much sense. You are encrypting
the index, but not the rest? Typically an index is already a hash, so that
is actually double weird.

Are you encrypting:

  • the whole database;
  • a table in your database;
  • some column(s) in your table.

What is your threat/attack model? Does the solution have to be automated,
or is it OK to require manual intervention after a system restart?

JochemOn Sun, Mar 29, 2015 at 5:15 AM, Jason Brookins wrote:


Jochem van Dieten
http://jochem.vandieten.net/

Symmetric keys; a recent penetration test complained about the use of a
static symmetric key that is used for the encryption of some database index
values, so I was hoping someone had some ideas about how to go about
getting a solid key rotation in place. I’ve seen a couple of approaches:

  1. store, use, and expire symmetric keys in a database (preferably a
    separate database from the application data store) on some time-based
    schedule;
  2. use a file outside the web root to be read in by the application for
    the selection of a key.

Either of these two approaches have merits, but it’s hard to find some
examples of a workable solution for each that meet regulatory requirements
as well as just good solid application security practices.On Saturday, March 28, 2015 at 5:46:31 AM UTC-4, Jochem van Dieten wrote:

On Sat, Mar 28, 2015 at 1:32 AM, Jason Brookins wrote:

I’m currently working on a project to convert a CF8 app to Lucee, and I
ran into the issue of encryption key rotation.

For what purpose do you want to use the keys? Are we talking about
symmetric keys or asymmetric keys?

Jochem


Jochem van Dieten
http://jochem.vandieten.net/