HTTP Federation stores a user's password on a keychain that's encrypted and shared between Identity Routers. How is that information encrypted, stored, and transmitted to other IDR's?
the key chain for each user is encrypted with a unique key (meaning one key per user).
The user keys are itself encrypted using a tenant unique key.
The key chains are synchronized across the IDRs by the internal replication mechanisms of the IDR and so are the user keys. The user keys and key chains are not decrypted during synchronisation.
If I haven't lost you till now you are probably wondering... how does the tenant key get put onto a IDR? After all, that's the only key that can decrypt the user keys and without the user keys the key chains stay encrypted.
The tenant key is pushed down to the IDR during IDR registration. It is then not synchronised as each IDR has it already.
tl;dr The tenant key wraps the user key which wraps the key chain. Tenant key is pushed to IDR during IDR registration.
Retrieving data ...