Key Rotation

[hblumberg]

I want to make sure I understand best practices around key rotation and migrations more generally.

Suppose my encryption key has been leaked. Here's what I think I would do:

1. Set the PRISMA_FIELD_DECRYPTION_KEY environment variable to the current encryption key
2. Set the PRISMA_FIELD_ENCRYPTION_KEY environment variable to a new encryption key
3. Add the fieldEncryptionMigrations generator to the Prisma schema and regenerate
4. Update the app to include a call to the generated migrate function
5. Deploy the app and ensure the migrate function runs
6. Remove the PRISMA_FIELD_DECRYPTION_KEY environment variable (the leaked key)
7. Remove the call to the generated migrate function
8. Redeploy the app

Is this the right approach? (I assume we could skip step 7 and leave the call to the migrate function, but it seems like we would incur an unnecessary start up cost.) Is logging the best way to verify the migration function ran successfully before removing the leaked key?

Thanks in advance!

[franky47]

This is correct!

As for logging, it depends on your deployment setup.

You could for example send a notification email when the migrate function returns (with the report of migrated records), or use metrics sent to Prometheus to monitor the progress in an APM.

[hblumberg]

Great, thank you! And thank you so much for this excellent tool!!