Rotating secret keys

Question

Rotating secret keys

Closed this issue a month ago · 3 comments

I'd like to have a couple of secret keys available, like so

app.secret_keys = [
   'key-1',
   'key-2',
]

To allow them to rotate.

I've seen this issue which seems to have auto-closed
#1574

It seems like itsdangerous now supports this
pallets/itsdangerous#141

This would allow secret keys to be rotated regularly without sessions being invalidated.

Answer 1 · 2024-10-25T13:56:37.000Z

Yeah, I think we could do something similar to itsdangerous here, with a new OLD_SECRET_KEYS config. Then app.secret_key remains a single value, and additional values can be added to the new config, and they can be sent to the itsdangerous mechanism. Note that app.config can't be mutated after startup (as it won't sync across each worker depending on how it's deployed), so updating the keys would require restarting the application.

Answer 2 · 2024-11-06T17:22:15.000Z

I'm uncertain about whether my suggested SECRET_KEY and OLD_SECRET_KEYS is a good interface. I don't have experience with key rotation systems. Can the way they return data be split into these two configs? Is restarting after rotation acceptable? Otherwise, users may be better served by implementing key rotation based on their own needs.

Answer 3 · 2024-11-06T17:23:42.000Z

https://adamj.eu/tech/2024/08/30/django-rotate-secret-key/ looks like Django uses a similar scheme, so I guess I'll go with that.