Full key rotation

[WatcherWhale]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

At the moment system, cookie, etc. keys cannot be fully rotated and still require the old key to be configured. This isn't sufficient in scenarios where the old key got leaked or exposed in another way, where some of the data can still be read with the old key.

Describe your ideal solution

I suggest exposing a CLI command that fully re-encrypts the whole database and thus not needing an old key afterwards.

Workarounds or alternatives

/

Version

2.1.2

Additional Context

No response

[sobanieca-redocly]

+1 I also have the same problem. Recently I've removed old key and now, most likely I will have to revert this change, because I keep getting:

error=server_error&error_description=The+authorization+server+encountered+an+unexpected+condition+that+prevented+it+from+fulfilling+the+request.+Could+not+ensure+that+signing+keys+for+%27hydra.openid.id-token%27+exists.+If+you+are+running+against+a+persistent+SQL+database+this+is+most+likely+because+your+%27secrets.system%27+%28%27SECRETS_SYSTEM%27+environment+variable%29+is+not+set+or+changed.+When+running+with+an+SQL+database+backend+you+need+to+make+sure+that+the+secret+is+set+and+stays+the+same%2C+unless+when+doing+key+rotation.+This+may+also+happen+when+you+forget+to+run+%27hydra+migrate+sql

On some environments. Documentation https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys doesn't specify what shall I do to remove old key.