Encryption: Add support for multiple data keys per day (#47765)

* Add database migrations * Use short uids as data key ids * Add support for manual data key rotation * Fix duplicated mutex unlocks * Fix migration * Manage current data keys per name * Adjust key re-encryption and test * Modify rename column migration for MySQL compatibility * Refactor secrets manager and data keys cache * Multiple o11y adjustments * Fix stats query * Apply suggestions from code review Co-authored-by: Tania <yalyna.ts@gmail.com> * Fix linter * Docs: Rotate data encryption keys API endpoint Co-authored-by: Tania <yalyna.ts@gmail.com>
2025-09-20 07:06:08 +08:00 · 2022-05-23 13:13:55 +02:00
parent ae8c11bfa4
commit e43879e55d
21 changed files with 498 additions and 170 deletions
--- a/docs/sources/developers/http_api/admin.md
+++ b/docs/sources/developers/http_api/admin.md
@ -704,3 +704,28 @@ Content-Type: application/json
  "message": "LDAP config reloaded"
 }
 ```
+
+## Rotate data encryption keys
+
+`POST /api/admin/encryption/rotate-data-keys`
+
+Rotates data encryption keys, so all the active keys are disabled
+and no longer used for encryption but kept for decryption operations.
+
+Secrets encrypted with one of the deactivated keys need to be re-encrypted
+to actually stop using those keys for both encryption and decryption.
+
+**Example Request**:
+
+```http
+POST /api/admin/encryption/rotate-data-keys HTTP/1.1
+Accept: application/json
+Content-Type: application/json
+```
+
+**Example Response**:
+
+```http
+HTTP/1.1 204
+Content-Type: application/json
+```