dda-backup/docs/CredentialRotation.md

Credential Rotation

Example Data

Default

[{
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
}]

Add another password

[
  {
    "current": true,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": false,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Change current password

[
  {
    "current": false,
    "id": "521e0760",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:08:16"
  },
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Remove old password

[
  {
    "current": true,
    "id": "b67161fb",
    "userName": "root",
    "hostName": "backup-restore-65bd9b6ff5-z69sn",
    "created": "2024-10-18 13:16:54"
  }
]

Steps

Steps need to be validated and performed seperately and work independently of each other. To avoid problems where the program is shut down mid-transition.

Stages

Initial State

Validation:

• Detect change requested: new password file environment is set

Steps to perform:

• Add new password
• restic -r <repo> key add --new-password-file <file>

New password has been added

Validation:

• List of passwords has 2 entries
• The password with the newer timestamp is not set as "current"

Steps to perform:

• Extract id of new password
• Extract id of old password
• Remove old password in favour of new one
• restic -r <repo> key remove --key-hint <new-id> <old-id>
• Unset new password file environment