[Question, help needed] How to properly retain encryption keys?

[beetle-kl7]

Hey there!

First of all, wanna say thanks for all your hard work in maintaining this project! it is awesome 👏🏻

I am wondering if there is a way to manage encryption keys retention overtime? Let's say I have both "old"-"new" encryption keys pair and want to update my database data, eg encrypt data with a new key. Is there a (relatively) simple way how to do keys retention properly?

Thanks

[generalpiston]

Currently, there's no built-in mechanism for swapping or adding keys.

We probably shouldn't do key management or scheduling, but providing a tool to automatically re-encrypts databased on a new key makes sense (which currently does not exist).

Here's an example process that could be followed:

1. Create a new column <original column name>_<timestamp identifier>.
2. Query contents of old column and a row identifier.
3. Decrypt contents old column using old key.
4. Encrypt contents of old column using new key.
5. Insert newly encrypted contents into new column.
6. Rename old column to <original column name>_<timestamp identifier>.
7. Rename new column to the original column name.
8. Remove renamed old column (optional).

[beetle-kl7]

This is something I was thinking about as well. I have tried similar swapping but w/out an additional column, keeping decrypted content in memory and immediately overridden "old" data.

Being said, it'd be great to provide a tool to automate this process since key retention seems to be important and needs to be done on a timely basis.

You just answered my question, so I guess this issue might be closed now.

Thanks

[generalpiston]

@beetle-kl7 I created https://github.com/generalpiston/typeorm-encrypted/issues/37 to track that effort. We've had similar asks to get started using encrypted columns as well.