Skip to content

[Future] Encryption key rotation with envelope encryption #142

Open
Open
[Future] Encryption key rotation with envelope encryption#142
Labels
P3low risktrack-securityTrack label for Agentic Era
Milestone
Agentic Era
@Raulgooo

Description

@Raulgooo
Raulgooo
opened on May 7, 2026

Future

Objective

Envelope encryption with key rotation.

Problem

  • Single derived key
  • Changing secret bricks vault data

Fix

  1. Master key → DEKs
  2. DEK IDs with encrypted data
  3. Rotate DEKs without re-encryption
  4. Master key in env only

Files

  • internal/vault/vault.go
  • internal/crypto/

Acceptance Criteria

  • Envelope encryption
  • DEK rotation
  • No data loss on key change
  • Master key never in DB

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3low risktrack-securityTrack label for Agentic Era

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions