[Koha-bugs] [Bug 32078] We should have an easy way for an administrator to update the encryption keys
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Nov 27 05:09:43 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32078
Victor Grousset/tuxayo <victor at tuxayo.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |victor at tuxayo.net
--- Comment #2 from Victor Grousset/tuxayo <victor at tuxayo.net> ---
> The tricky thing is that we don't currently have a way of noting which key was used to encrypt which field.
As long as there is one key at the time, it's not needed. The update process
should be one transaction to guaranty that though.
> However, we have no easy way to change key should that key be leaked or found to be to simple to crack
It's generated so cracking shouldn't be an issue. As for a leak, yes a
webserver misconfiguration or a vulnerability in Koha or another app on the
same server could expose the config file while still having the DB unleaked.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list