Update to Credhub encryption to use Key Encryption Key (KEK) protocol scheme


Hi everyone,

The Credhub team is proposing a change to the current encryption scheme. 

Changing the current encryption scheme from Data Encryption Key (DEK) to Key Encryption Key (KEK) would allow for:

  • increased Credhub security posture¬†

  • simplification of Credhub encryption key rotation

  • integration with third-party KMS vendors with a data size limit

Details of the change can be found here.

Please feel free to share your thoughts and concerns and reach out with any questions!


The Credhub Team


Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.