Andrey Ivanov wrote:
i've read the changelog encryption design document. Indeed, it's a
sound idea to make AD-389 replication more robust. I have two
questions about it:
* if i understand correctly you say that the server needs a
certificate in order to generate the symmetric key. Is this key
generated only once?
That is correct. If a wrapped symmetric key is not found in
cn=changelog5,cn=config, the key is generated.
I mean, if we change the expired server
certificate it won't trigger the symmetric key regeneration?
If your changelog DB contains 2 sets of encrypted value
-- one is encrypted with the expired cert, the other with the new cert,
it'd be hard to recover old ones. Automation makes it happen easier...
* The replication changelog that contains the mixed entries
(cleartext, encrypted 3DES, encrypted AES etc) - is it still readable
by the server?
I don't think so. We should avoid it, too.
Does each changelog entry contain a flag that describes
whether the entry is cleartext/AES/3DES? Can the server "detect" in
any other way whether the changelog entry is encrypted and if yes with
what type of cypher?
The answer is no. Each value has no info about the type --
Thanks for the questions, Andrey!