2026-04-01 12:38:38 +08:00
|
|
|
1. ENCRYPTION_KEY handling:
|
|
|
|
|
- ENCRYPTION_KEY encrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest.
|
|
|
|
|
- By default, the chart creates a Kubernetes Secret from `secretEnv.ENCRYPTION_KEY` in values.yaml.
|
|
|
|
|
- To generate a random key at install (preserved across upgrades), set `generateEncryptionKey: true`.
|
|
|
|
|
- To use an existing Kubernetes secret, set `existingSecret` to the secret name. The secret must
|
|
|
|
|
contain a key matching `existingSecretKey` (defaults to `ENCRYPTION_KEY`).
|
|
|
|
|
- If left empty, the server auto-generates and persists the key to the data PVC — safe as long as
|
|
|
|
|
the PVC persists.
|
|
|
|
|
- Upgrading from a version that used JWT_SECRET for encryption: set `secretEnv.ENCRYPTION_KEY` to
|
|
|
|
|
your old JWT_SECRET value, then re-save credentials via the admin panel.
|
2026-03-30 05:44:20 +08:00
|
|
|
|
2026-04-01 12:38:38 +08:00
|
|
|
2. JWT_SECRET is managed entirely by the server:
|
|
|
|
|
- Auto-generated on first start and persisted to the data PVC (data/.jwt_secret).
|
|
|
|
|
- Rotate it via the admin panel (Settings → Danger Zone → Rotate JWT Secret).
|
|
|
|
|
- No Helm configuration needed or supported.
|
fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation
Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.
- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
data/.encryption_key if not set, same pattern as JWT_SECRET);
switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
persists it to data/.jwt_secret, updates the live in-process binding
via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
with a confirmation modal warning that all sessions will be
invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
secret.yaml, deployment.yaml, NOTES.txt, README): document
ENCRYPTION_KEY and its upgrade migration path
2026-04-01 12:31:45 +08:00
|
|
|
|
|
|
|
|
3. Example usage:
|
2026-04-01 12:38:38 +08:00
|
|
|
- Set an explicit encryption key: `--set secretEnv.ENCRYPTION_KEY=your_enc_key`
|
|
|
|
|
- Generate a random key at install: `--set generateEncryptionKey=true`
|
2026-03-30 05:44:20 +08:00
|
|
|
- Use an existing secret: `--set existingSecret=my-k8s-secret`
|
2026-04-01 12:38:38 +08:00
|
|
|
- Use a custom key name in the existing secret: `--set existingSecret=my-k8s-secret --set existingSecretKey=MY_ENC_KEY`
|
2026-03-30 05:44:20 +08:00
|
|
|
|
2026-04-01 12:38:38 +08:00
|
|
|
4. Only one method should be used at a time. If both `generateEncryptionKey` and `existingSecret` are
|
|
|
|
|
set, `existingSecret` takes precedence. Ensure the referenced secret and key exist in the namespace.
|