AES_ENCRYPTION_SECRET rotation

[dmunch]

Is your feature request related to a problem? Please describe.

It doesn't currently seem possible to rotate the AES_ENCRYPTION_SECRET configuration value. This is potentially required for compliant environments, where encryption secrets need to be rotated in regular intervals.

Describe the solution you'd like

A potential solution could look like this:

• Add a second configuration variable, AES_ENCRYPTION_SECRET_ROTATION
• If present, use it as a fallback during decryption if decryption with AES_ENCRYPTION_SECRET fails
• Add a CLI command which goes through all webhook destinations, decrypts the secret, and re-encrypts with AES_ENCRYPTION_SECRET_ROTATION

Describe alternatives you've considered

None.

Additional context

If discovered this during setting up our internal Outpost setup. I had to move AES_ENCRYPTION_SECRET to key vault, and in the process the secret changed, rendering my existing destination settings useless. (As a side-note, but less critical, retrieving a destination or list of destinations with the wrong encryption secret just errors).

[alexluong]

Hi @dmunch, thanks for your suggestion, this is a very nice and well-thought-out request. I have added this to our internal roadmap for now. In the meantime, if you're interested to opening a PR for this, I'd be happy to help support and review.