1

I would need to create a symmetric key in C# and use it to encrypt a string, which I would eventually store in a database. I would use the AES mechanism in .Net to achieve this. I would use the same key to decrypt the encrypted data.

Now my requirement is that if I have a mechanism to change the key. How can I ensure that I can use the newly created key to be used to decrypt the strings encrypted with the old or expired key?

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210
user967338
  • 11
  • 2
  • I believe you should re-encrypt data using new key before removing old one – sll Sep 27 '11 at 15:11
  • what if I have a mechanism to update keys in a periodic fashion (say in a year)? Do I have to add code to re-encrypt data which could be a huge amount of data) ? – user967338 Sep 27 '11 at 15:15
  • Exactly as @sll says - before you can change the key you will need to decrypt all data using the old key, re-encrypt it using the new key, and replace the data on your database – Smudge202 Sep 27 '11 at 15:15
  • :-( I was looking for a solution similar to using Key_Source and Identity_Value in MS SQL? – user967338 Sep 27 '11 at 15:18
  • The alternative is to keep the old key, anything encrypted will need to reference the key it was encrypted with (as a foreign key for example or by comparing time stamps and expiry dates). This way when the key changes you simply add the new key and mark it as active, mark the old key as expired. All new data gets encrypted with the new key, and you can reference the old key when required to decrypt old data – Smudge202 Sep 27 '11 at 15:28

1 Answers1

1

Everything in the database must be decrypted then re-encrypted with the new key every time the key changes.

EDIT--

Per your comment, what Key_Source and Identity_Value is doing is creating a key that never changes then encrypting that key and changing that outer layer on regular intervals. I would not recommend implementing this yourself, as it is very hard to secure that master key correctly, and just use the key system built in to MS SQL if that is the database you are using.

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431