Replies: 2 comments
-
|
To answer your questions about the present, in short: it is currently only used for private cookies, if #477 is accepted that might change, and there's currently no mechanism to update it. I am curious what problem you are solving or threat you are protecting against by rotating the key while allowing a migration period: maybe I'm not being imaginative enough, but I think the secret key would be the least of your worries if you felt you needed to rotate it in this way. |
Beta Was this translation helpful? Give feedback.
-
|
I was just asking, since I used to work a a few payment processing companies that had a few services built around encryption and key rotation. While I'm unaware as to what threats they were guarding against, I was thinking of ways to integrate their security system with Rocket and what that would entail. TL;DR I was exploring the problem space and this sounded interesting. |
Beta Was this translation helpful? Give feedback.
-
Rocket version: 0.4
Steps taken to answer question: Scanning the docs, reading up on stuff.
What documentation you believe should include an answer to this question: Either the state documentation or the cookies documentation.
Does Rocket offer any support for rotating keys used in Cookies/manually invalidating them through some form of IPC through a port on the local machine? I can just kill my rocket instance and swap the secret key, but I'd prefer something where I can rotate the keys while the server's still up and manage the migration of data encrypted with the old key to the new key.
I was thinking of implementing something like this, but was wondering if it was a good idea/why there's only one secret key/what that secret key is for (outside of cookie encryption).
Beta Was this translation helpful? Give feedback.
All reactions