Support for rotation of secrets
StephanErb opened this issue · comments
Hi everyone,
we accidentally leaked the SECRET_KEY
of a test environment that was used for decrypting model fields using this library. In such a case, to be on the safe side, one has to rotate the leaked key. While I am aware that we can run a migration similar to this one here it would be great if django-cryptography would has an officially supported way how to rotate encryption keys:
Proposal A)
Ship a Django command to perform such a secret rotation:
$ django-admin rotate_encryption_key <current secret key> <new secret key>
Afterwards the settings.py
needs to be adjusted to reference the new key.
Proposal B)
If Proposal A is hard to implement, an easier but less secure alternative option would be to support two kinds of secret specifications:
- a secret used for encryption (i.e.
SECRET_KEY
orCRYPTOGRAPHY_KEY
as used today) - a list of secrets used for decryption (e.g.
CRYPTOGRAPHY_PREVIOUS_KEYS=['foo', 'bar']
)
In case a field cannot be decrypted using either SECRET_KEY
or CRYPTOGRAPHY_KEY
all secrets in CRYPTOGRAPHY_PREVIOUS_KEYS
are tried in order. This would enable us to at lest have all new secrets encrypted with a new key, while the encryption of other fields is still supported.
Thanks!
I would think that Proposal A is the easiest to adopt!
I would love to see this integrated :)
@StephanErb It would seem reasonable to also support changing the salt. What do you think?
Has there been any progress on this feature? Or supporting multiple keys for decryption?
@zaeem-maqsood I don't think a PR has been put forward for rotating keys.