I've been thinking about security lately quite a bit, having finished tech editing a book on encryption and reading another one. I've had a few polls on various security items and this Friday I thought about another one.
How often do you rotate encryption keys or passwords?
Good practices dictate that you periodically rotate those keys and re-encrypt data to ensure that if a malicious user were to acquire an older copy of the database, and somehow brute force the keys, they wouldn't be able to actually use those keys or passwords against your current database server.
Passwords seem to rotate on all types of intervals, depending on how paranoid the Windows system administrator is. I've had them rotate as often as every 30 days and as long as a year. I guess I've had places where passwords never expired, but I wouldn't count that as any type of "rotation."
I'm really looking for an idea of what people think is a good interval. My guess is that for heavily encrypted data, rotating keys and dealing with the hassles of decryption/re-encryption, once a year is probably a good interval, but let me know if you think differently. Or if any of you are actually using SQL Server encryption keys, how often do you rotate keys.
Or do you not bother to rotate them at all?
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. You can also follow Steve Jones on Twitter:
or now on iTunes!
- Windows Media Podcast - 17.8MB WMV
- iPod Video Podcast - 12.8 MB MP4
- MP3 Audio Podcast - 2.6MB MP3
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.