Support key rotation for Encrypted Saved Objects #56889
Labels
Feature:Actions
Feature:Alerting
Feature:Saved Objects
ReleaseStatus
Item of high enough importance that it should be called out in release status meetings
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Encrypted Saved Objects make use of a key specified in config
xpack.encrypted_saved_objects.encryptionKey
to encrypt and decrypt properties. This is primarily used forIf you change the encryptionKey, at the moment there is no mechanism to update saved objects that rely on it. Alerts and actions will stop working, and you have two options: recreate the alerts and actions using the new key, or revert back to the old key.
In addition, with multiple Kibana instances it's possible to end up with different keys on each instance. When this occurs alerts & actions will fail when they run/decrypt on a different instance than the one that encrypted the data. There is no way to fix this problem when it occurs.
A mechanism is needed to move data to a new key, and retire existing keys (decrypt only) so they can eventually be removed.
Related: #56448
In the encrypted saved objects RFC, key rotation was briefly discussed and could be used as a starting point for this issue: #33740 (comment)
The text was updated successfully, but these errors were encountered: