Encryption secret rotation

[langovoi]

At the moment @adonisjs/encryption allows only one secret. So if I decide to change appKey all encrypted values become invalid, for example encrypted cookies.

OWASP has some recommendations when rotation is could be necessary: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-lifetimes-and-rotation

Other solutions, for example @elysiajs, have this out-of-box for cookies: https://elysiajs.com/patterns/cookie-signature#secret

So it will be great to have rotation mechanism at @adonisjs/encryption level.

[RomainLanz]

Hey @langovoi! 👋🏻

We already have something for that use case in the next version of the encryption module (foundable here).

Would that fit your needs?

[langovoi]

Looks interesting. As I understood this version of Encryption module allows to have multiple drivers, but every driver still has only one secret.
So this allows to make rotation for data which was encrypted/signed on the application side creating multiple drivers, but not allows to make encryption/signed cookies rotation, because it use default Encryption driver.

How it made in http server module: https://github.com/adonisjs/http-server/blob/bdd97c9b8a09165217227ea2660df7de79e7eba1/src/cookies/client.ts#L51-L55

How it made in Elysia: https://github.com/elysiajs/elysia/blob/78671b1827ecb40add10c6a0fab28ce4187f28ef/src/cookie.ts#L393-L412

[thetutlage]

Yeah, I agree. Keys rotation cannot be achieved with multiple drivers, because you want parts of the framework relying on the encryption module to try one of the many supplied keys.

To be honest, I don't have bandwidth to spec it out properly because I am already working on too many things right now.

But, if someone wants to champion the feature. I will recommend.

• Ensure zero breaking changes.
• Check if Rails, Laravel or Symfony have some best practices or issues from the past on this topic. Since these are more mature frameworks, I always look up-to them when adding security related features.
• Finally, create a proposal with the findings and then we can talk about proceeding with the change.

[langovoi]

Check if ... Laravel ..

Laravel just a day ago announced support for rotation of keys.

https://laravel.com/docs/11.x/encryption#gracefully-rotating-encryption-keys

Implementation: laravel/framework#49962

[RomainLanz]

Cool, I will have a look and update the current implementation to allow key rotation.

We will also have to figure out a way to release the new encryption module without any breaking changes; I have some ideas for the same. Let's see how it goes!

[discoverlance-com]

Any updates on this?