Full key rotation
WatcherWhale opened this issue · comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
At the moment system, cookie, etc. keys cannot be fully rotated and still require the old key to be configured. This isn't sufficient in scenarios where the old key got leaked or exposed in another way, where some of the data can still be read with the old key.
Describe your ideal solution
I suggest exposing a CLI command that fully re-encrypts the whole database and thus not needing an old key afterwards.
Workarounds or alternatives
/
Version
2.1.2
Additional Context
No response
+1 I also have the same problem. Recently I've removed old key and now, most likely I will have to revert this change, because I keep getting:
error=server_error&error_description=The+authorization+server+encountered+an+unexpected+condition+that+prevented+it+from+fulfilling+the+request.+Could+not+ensure+that+signing+keys+for+%27hydra.openid.id-token%27+exists.+If+you+are+running+against+a+persistent+SQL+database+this+is+most+likely+because+your+%27secrets.system%27+%28%27SECRETS_SYSTEM%27+environment+variable%29+is+not+set+or+changed.+When+running+with+an+SQL+database+backend+you+need+to+make+sure+that+the+secret+is+set+and+stays+the+same%2C+unless+when+doing+key+rotation.+This+may+also+happen+when+you+forget+to+run+%27hydra+migrate+sql
On some environments. Documentation https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys doesn't specify what shall I do to remove old key.