Support for rotation of secrets

[StephanErb]

Hi everyone,

we accidentally leaked the SECRET_KEY of a test environment that was used for decrypting model fields using this library. In such a case, to be on the safe side, one has to rotate the leaked key. While I am aware that we can run a migration similar to this one here it would be great if django-cryptography would has an officially supported way how to rotate encryption keys:

Proposal A)
Ship a Django command to perform such a secret rotation:

$ django-admin rotate_encryption_key <current secret key> <new secret key> 

Afterwards the settings.py needs to be adjusted to reference the new key.

Proposal B)
If Proposal A is hard to implement, an easier but less secure alternative option would be to support two kinds of secret specifications:

• a secret used for encryption (i.e. SECRET_KEY or CRYPTOGRAPHY_KEY as used today)
• a list of secrets used for decryption (e.g. CRYPTOGRAPHY_PREVIOUS_KEYS=['foo', 'bar'])

In case a field cannot be decrypted using either SECRET_KEY or CRYPTOGRAPHY_KEY all secrets in CRYPTOGRAPHY_PREVIOUS_KEYS are tried in order. This would enable us to at lest have all new secrets encrypted with a new key, while the encryption of other fields is still supported.

Thanks!

[thismatters]

I would think that Proposal A is the easiest to adopt!

[rj76]

I would love to see this integrated :)

[thismatters]

@StephanErb It would seem reasonable to also support changing the salt. What do you think?

[zaeem-maqsood]

Has there been any progress on this feature? Or supporting multiple keys for decryption?

[thismatters]

@zaeem-maqsood I don't think a PR has been put forward for rotating keys.