The EVP_SealInit() OpenSSL API supports multi-key encryption. Basically it encrypts the symmetric AES key with multiple RSA keys and so we can just store multiple of those encrypted AES keys in the resulting file making it possible to decrypt on multiple hosts. Instead of encrypting the same file for all the hosts separately which would result in more files and duplication of the encrypted payload (which can potentially be big).
The easiest approach seems to be adding a new header Encrypted-for: SHA=some-sha-here that could/would be used multiple times. It will determine the order of RSA keys the AES key was encrypted by, store one after another in the file.
- is blocked by
-
CFE-2613 Ship cf-keycrypt functionality
-
- Done
-