Cryptography for Mere Mortals #3
An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.
Q: Some of the privacy regulations such as PCI DSS require key rollover—changing the encryption keys periodically. How can that work in a large enterprise data protection environment?
A: Key rollover can be a challenge, depending on the technology used. One thing to realize is that key rollover typically does not mean that existing data must be re-encrypted. However, if you do not re‑encrypt existing data, then you must have some way to know whether a particular item was encrypted with the old key or the new one.
With Voltage SecureData, there are several ways to do this. Since the key server can maintain multiple generations of key, you can perform a key rollover at the key server: subsequent key requests will fetch the new key. If a column in the database row or file record contains a key number, then that key can be used for subsequent decryptions.
Voltage SecureData also offers a variation on Format-Preserving Encryption called Embedded FPE, which embeds the key number—not the key itself, just the number (first, second, third, etc.)—in the ciphertext. When a decryption operation takes place, this key number is extracted and the correct key is used automatically. Thus the data is self-describing, and can be decrypted without having to store any additional information.