dda-backup/docs/CredentialRotation.md

1.9 KiB

Credential Rotation

Example Data

Default

[{
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
}]

Add another password

[
  {
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": false,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Change current password

[
  {
    "current": false,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Remove old password

[
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Steps

Steps need to be validated and performed seperately and work independently of each other. To avoid problems where the program is shut down mid-transition.

Stages

Initial State

Validation:

  • Detect change requested: new password file environment is set

Steps to perform:

  • Add new password
  • restic -r <repo> key add --new-password-file <file>

New password has been added

Validation:

  • List of passwords has 2 entries
  • The password with the newer timestamp is not set as "current"

Steps to perform:

  • Extract id of new password
  • Extract id of old password
  • Remove old password in favour of new one
  • restic -r <repo> key remove --key-hint <new-id> <old-id>
  • Unset new password file environment