Is your feature request related to a problem? Please describe.
It doesn't currently seem possible to rotate the AES_ENCRYPTION_SECRET configuration value. This is potentially required for compliant environments, where encryption secrets need to be rotated in regular intervals.
Describe the solution you'd like
A potential solution could look like this:
- Add a second configuration variable,
AES_ENCRYPTION_SECRET_ROTATION
- If present, use it as a fallback during decryption if decryption with
AES_ENCRYPTION_SECRET fails
- Add a CLI command which goes through all webhook destinations, decrypts the secret, and re-encrypts with
AES_ENCRYPTION_SECRET_ROTATION
Describe alternatives you've considered
None.
Additional context
If discovered this during setting up our internal Outpost setup. I had to move AES_ENCRYPTION_SECRET to key vault, and in the process the secret changed, rendering my existing destination settings useless. (As a side-note, but less critical, retrieving a destination or list of destinations with the wrong encryption secret just errors).
Is your feature request related to a problem? Please describe.
It doesn't currently seem possible to rotate the
AES_ENCRYPTION_SECRETconfiguration value. This is potentially required for compliant environments, where encryption secrets need to be rotated in regular intervals.Describe the solution you'd like
A potential solution could look like this:
AES_ENCRYPTION_SECRET_ROTATIONAES_ENCRYPTION_SECRETfailsAES_ENCRYPTION_SECRET_ROTATIONDescribe alternatives you've considered
None.
Additional context
If discovered this during setting up our internal Outpost setup. I had to move
AES_ENCRYPTION_SECRETto key vault, and in the process the secret changed, rendering my existing destination settings useless. (As a side-note, but less critical, retrieving a destination or list of destinations with the wrong encryption secret just errors).