Key Rotation #21
Description
Key rotation is left out of scope for the On-chain KMS pull request. It's still TODO. Let's push things along by adding key rotation as a dstack example!
Complete this issue by adding an example of an application that gains forward secrecy through implementing key rotation.
- could leave the KMS itself as out of scope and consider forward secrecy involving vulnerabilities in the app itself
- follow the row level security pattern in an underlying db
- decide between alternatives
- puncturable encryption
- reencrypt everything to new epoch key
- every row has distinct key, copy all keys on migration
See key rotation section in KMS design docs: https://docs.phala.network/dstack/design-documents/key-management-protocol