Cryptographic Agility Questions

Are you trying to change your application cryptography? Here's some common cases and recommendations.

Is this encrypted data coming through a query or request parameter?

Put the new version in a different parameter and only read it with the new code. If the new parameter is populated, do not read the old parameter. Bind the version to the encrypted message with authenticated encryption with associated data (AEAD) so that only the appropriate decryption function will successfully decrypt it.

I encrypt the data and the client uses it as a token, but I cannot update the client, what can I do?

See Encrypted token migrations.

What if this is a database field?

See Encryption at rest migrations.

What about TLS ciphers?

See TLS Migrations.

I was using MD5 for passwords, what should I do?

See Password Migrations.

What questions should I ask when beginning a migration?

See General Migration Questions.