I'd like to extend the cryptography application block to transparently rotate keys at a specific interval (once a day), without changing code that uses the application block. I'm fine with changing the configuration and extending the application
My strategy is to
- define a location where keys are stored, be it in the database or file system
- define the interval when keys should be rotated
- define the algorithm used for encrypting and decrypting data
- when encrypting data, write a "header" which indicates which algorithm was used, the key size and version followed by the encrypted data
- when decrypting the data, read the header, find the key in the key store and use it to decrypt the rest of the data.
This seems to be common technique.
Any suggestions would be much appericated.