Config-as-code solution for rotating encryption keys

[lukeelmers]

Today the process for changing xpack.encryptedSavedObjects.encryptionKey involves moving the old encryption key to xpack.encryptedSavedObjects.keyRotation.decryptionOnlyKeys so that objects encrypted with the old key can still be decrypted once the new key is introduced. If your list of decryptionOnlyKeys is growing too large, you can use the rotate encryption key API (/api/encrypted_saved_objects/_rotate_key) to reencrypt old objects with the new encryption key.

This works well for individual users managing their own deployments, but adds complexity for environments like serverless where a fleet of deployments is being orchestrated. Ideally we'd have a file-based / config-based mechanism for forcing key rotation without needing to call an HTTP API.

The main driver for a feature like this now is a disaster recovery scenario where we are persisting these encryption keys in an external datastore in case we ever need to restore an entire Kibana project. Ideally in such a scenario we wouldn't need to store an unbounded list of decryptionOnlyKeys, and could instead be regularly forcing rotation of encryption keys.

cc @pebrc @legrego

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[pebrc]

I think one additional requirement we have is some kind of feedback signal that it is safe to remove a decryptionOnlyKey from the list. I don't have a good idea for it. Some thoughts: if it has to be an API then preferably an unauthenticated API like the status API maybe that lists the hashes of the keys currently in use. Maybe the whole rotation could also be handled by the migration mechanism inside Kibana so we would not need an extra signal. Meaning if the migration (job) succeeds it is save to remove the decryption keys. But I don't want to jump to solutions here, the main thing is that we can know when to remove a key from the list without doing damage.