Revive encryption key rotation runbooks and scripts
@rohanprabhuchecks…codex/bring-back-pr-8583 → master11 files · +2193 −1updated 4d agochecks n/a
▸Description
Summary
- Revives the old encryption key rotation PR (#8583) onto current
master.
- Refreshes Apollo rotation for current nested auth/connected-account encryption layers and HMAC-only
ak_/oak_ behavior.
- Refreshes Thermos rotation for current workerdb fields, legacy registrydb upgrade paths, encrypted chunks, plaintext mixed-state rows, and cursor-safe update batches.
- Adds two Notion-ready runbook documents under
docs/runbooks/:
- On-prem encryption key rotation with downtime
- PR 8583 test evidence and confidence notes
Testing
go test ./scripts/rotate-encryption-keys from apps/thermos- Focused Apollo oxlint on
apps/apollo/scripts/rotate-encryption-keys.ts
git diff --check- Commit hook: Apollo oxlint/oxfmt and Thermos
pnpm build:openapi
- onprem-testbed DB-backed smoke:
- Port-forwarded onprem-testbed shared Postgres.
- Created disposable Apollo, Thermos registrydb, and Thermos workerdb databases.
- Seeded old-key ciphertext for all recoverable fields covered by the scripts.
- Ran the actual Apollo and Thermos rotation scripts.
- Verified rows decrypted under new keys, plaintext mixed-state rows stayed unchanged, and HMAC-only
ak_/oak_ rows remained unchanged by design.
- Dropped disposable databases after verification.
Notes
- Full Apollo typecheck still has unrelated baseline/generated dependency/type failures outside this PR; focused script lint and DB-backed smoke passed.