[Koha-bugs] [Bug 34976] Encryption keys should not be shared between modules
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Oct 4 14:22:14 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34976
--- Comment #3 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
Using one encryption key for whole Koha is obviously more convenient than
carrying a large keychain but is unsafer too. If you get that key, you can
decrypt everything.
Interesting question though would be: How would you get one key and not the
others? And underlying, is koha-conf the best place to save them? Easy to ask,
harder to answer. If you would get secrets from some vault, you still need a
token for that, etc.
As David referred to the rotation bug, the management of data encrypted with
which key and what version becomes a bit harder.. Security always has a price.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list