# Credential Rotation

## Example Data

Default

```json
[{
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
}]
```

Add another password

```json
[
  {
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": false,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]
```

Change current password

```json
[
  {
    "current": false,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]
```

Remove old password

```json
[
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]
```

## Steps

Steps need to be validated and performed seperately and work independently of each other.
To avoid problems where the program is shut down mid-transition.

### Stages

#### Initial State

Validation:

- Detect change requested: new password file environment is set

Steps to perform:

- Add new password
- `restic -r <repo> key add --new-password-file <file>`

#### New password has been added

Validation:

- List of passwords has 2 entries
- The password with the newer timestamp is not set as "current"

Steps to perform:

- Extract id of new password
- Extract id of old password
- Remove old password in favour of new one
- `restic -r <repo> key remove --key-hint <new-id> <old-id>`
- Unset new password file environment