# Credential Rotation ## change password step ```mermaid stateDiagram-v2 noAction: no-pwd-change-needed wait: wait-for-new-pwd new: change-pwd finished: pwd-change-finished state configExist? <> state valid? <> state finished? <> [*] --> configExist? configExist? --> valid?: new-password-config-exist? configExist? --> noAction valid? --> finished?: valid-from > now? valid? --> wait finished? --> finished: current > valid-from? finished? --> new new --> [*] finished --> [*] noAction --> [*] wait --> [*] ``` ## Example Data Default ```json [{ "current": true, "id": "521e0760", "userName": "root", "hostName": "backup-restore-65bd9b6ff5-z69sn", "created": "2024-10-18 13:08:16" }] ``` Add another password ```json [ { "current": true, "id": "521e0760", "userName": "root", "hostName": "backup-restore-65bd9b6ff5-z69sn", "created": "2024-10-18 13:08:16" }, { "current": false, "id": "b67161fb", "userName": "root", "hostName": "backup-restore-65bd9b6ff5-z69sn", "created": "2024-10-18 13:16:54" } ] ``` Change current password ```json [ { "current": false, "id": "521e0760", "userName": "root", "hostName": "backup-restore-65bd9b6ff5-z69sn", "created": "2024-10-18 13:08:16" }, { "current": true, "id": "b67161fb", "userName": "root", "hostName": "backup-restore-65bd9b6ff5-z69sn", "created": "2024-10-18 13:16:54" } ] ``` Remove old password ```json [ { "current": true, "id": "b67161fb", "userName": "root", "hostName": "backup-restore-65bd9b6ff5-z69sn", "created": "2024-10-18 13:16:54" } ] ``` ## Steps Steps need to be validated and performed seperately and work independently of each other. To avoid problems where the program is shut down mid-transition. ### Stages #### Initial State Validation: - Detect change requested: new password file environment is set Steps to perform: - Add new password - `restic -r --new-password-file key passwd` #### New password has been added Validation: - List of passwords has 2 entries - The password with the newer timestamp is not set as "current" Steps to perform: - Extract id of new password - Extract id of old password - Remove old password in favour of new one - `restic -r key remove --key-hint ` - Unset new password file environment