defrex
commented
8 years ago It seems like this would be best achieved by subclassing KeyczarWrapper and passing it in as the crypter_klass.
How are you planning to use the new method?
Closed gimbo closed 8 years ago
defrex
commented
8 years ago It seems like this would be best achieved by subclassing KeyczarWrapper and passing it in as the crypter_klass.
How are you planning to use the new method?
gimbo
commented
8 years ago I'm writing code to rotate an encryption key, and re-encrypt the stored data with the new key. So I read a whole bunch of objects which have some encrypted field, then rotate the keys (using keyczart), then save the objects again. I found that if I don't force a re-upload of the crypter, the old key still gets used.
Am I doing something ridiculous here?
Your suggestion about subclassing KeyczarWrapper: how would this work? A version which re-reads the keys on every save operation?
defrex
commented
8 years ago This actually makes a ton of sense. I think I misunderstood it earlier.
During key rotation, a user might want to load some objects using an old key and then save them with a new one. To save with different keys that were used to load, we need to reload
_crypter; this newload_cryptermethod exposes that possibility.(Or am I missing a better way to do this?)