Encrypted keyczar keys

[Paul Pieralde]

Keyczar can itself wrap keyczar keys which is working perfectly fine.

This does lend itself to the "Turtles all the way down" problem with a decryption key sitting on the same machine as the encrypted data it's protecting.

There's HSMs which might be overkill for my particular application based on cost and administrative overhead.

AWS and potentially other cloud hosting providers have services such as KMS.

Has anyone explored wrapping keyczar keys in KMS or similar? I would guess this is highly specific, non-generic code to the KMS service, but given the popularity of the AWS product line, might be a nice addition to the security profile of many organizations.

[devin lundberg]

I've done this before with the python version of keyczar; adding non file system readers had some issues in the java version if i remember correctly, but should be possible. Not sure if this would fit in the main keyczar repo for the reasons you state.

--
You received this message because you are subscribed to the Google Groups "Keyczar Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keyczar-discu...@googlegroups.com.
To post to this group, send email to keyczar...@googlegroups.com.
Visit this group at http://groups.google.com/group/keyczar-discuss.
For more options, visit https://groups.google.com/d/optout.