Skip to content

[auto-rotation feature] PR 3 - Auto-rotation scheduler + deadline detection#970

Open
Manuthor wants to merge 20 commits into
docs/key-autorotation-specfrom
feat/key-rotation-scheduler
Open

[auto-rotation feature] PR 3 - Auto-rotation scheduler + deadline detection#970
Manuthor wants to merge 20 commits into
docs/key-autorotation-specfrom
feat/key-rotation-scheduler

Conversation

@Manuthor

@Manuthor Manuthor commented May 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Adds a background cron scheduler that automatically rotates keys whose x-rotate-interval
has elapsed, with configurable check frequency via a new server flag.

This is PR 3 of 4 in the key auto-rotation feature stack (depends on PR 2: #988):

develop
  ← PR 1  docs/key-autorotation-spec          (#968)
  ← PR 2  feat/key-rotation-ckms-ui            (#988)
  ← PR 3  feat/key-rotation-scheduler          ← this PR (#970)
  ← PR 4  feat/key-rotation-notifications      (#971)

What's included

Database — find_due_for_rotation()

New ObjectsStore method returns all Active symmetric/private keys whose
rotation deadline has passed:

deadline = x-rotate-date + x-rotate-interval   (for previously-rotated keys)
deadline = Initial Date + x-rotate-offset       (for never-rotated keys)

Implemented in SQLite, PostgreSQL, and MySQL backends.

Auto-rotation dispatcher — crate/server/src/core/auto_rotate.rs

  • run_auto_rotation(kms, owner) — iterates due keys and dispatches to the
    correct rotation flow (plain, wrapping, wrapped, asymmetric)
  • dispatch_renewal_warnings(kms) — emits approaching-deadline events at 30
    / 7 / 1 days before next rotation (wired by PR 4 ([auto-rotation feature] PR 4 - Notification system (SMTP email) #971) notifications)
  • OTel counter kms.key.auto_rotation labelled with uid and algorithm
    on every successful rotation

Cron thread — crate/server/src/cron.rs

  • start_auto_rotation_cron() spawns a Tokio task that wakes every
    check_interval_secs and calls run_auto_rotation()
  • Graceful shutdown via cancellation token

Server config

  • New flag --auto-rotation-check-interval-secs (default 0 = disabled)
  • Corresponding wizard step in crate/server/src/config/wizard/auto_rotation_wizard.rs
  • kms.toml template updated

Configuration example

cosmian_kms --auto-rotation-check-interval-secs 300   # check every 5 minutes

Or in kms.toml:

auto_rotation_check_interval_secs = 300

Breaking changes

None. The scheduler is off by default (0 disables it).

Reviewer notes

  • dispatch_renewal_warnings uses the Notifier trait wired in PR 4 ([auto-rotation feature] PR 4 - Notification system (SMTP email) #971) to
    send SMTP alerts at 30 / 7 / 1 days before the next scheduled rotation.
  • HSM-resident keys (UID prefix hsm::) are excluded from
    find_due_for_rotation — the KMS cannot generate key material inside the HSM.

@Manuthor Manuthor mentioned this pull request May 28, 2026
Open
@Manuthor Manuthor changed the title feat: add auto-rotation scheduler (cron) for key lifecycle management [auto-rotation feature] feat: add auto-rotation scheduler (cron) for key lifecycle management May 28, 2026
Base automatically changed from feat/key-rotation-manual to docs/key-autorotation-spec May 29, 2026 12:57
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch from 6cc8ce5 to fa12cc6 Compare May 29, 2026 14:02
@Manuthor Manuthor force-pushed the feat/key-rotation-scheduler branch from 4e3e03c to f27b7e5 Compare May 29, 2026 14:03
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch from fa12cc6 to 5f27e21 Compare May 31, 2026 06:30
@Manuthor Manuthor force-pushed the feat/key-rotation-scheduler branch from f27b7e5 to 43b5cdb Compare June 1, 2026 06:32
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch 4 times, most recently from d843e12 to ca7eaef Compare June 6, 2026 06:27
@Manuthor Manuthor changed the title [auto-rotation feature] feat: add auto-rotation scheduler (cron) for key lifecycle management [auto-rotation feature] PR 4 — Auto-rotation scheduler + deadline detection Jun 7, 2026
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch from 9eb009a to 854aa02 Compare June 8, 2026 10:59
@Manuthor Manuthor changed the title [auto-rotation feature] PR 4 — Auto-rotation scheduler + deadline detection [auto-rotation feature] PR 3 - Auto-rotation scheduler + deadline detection Jun 10, 2026
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch from f7ee659 to e8eaa16 Compare June 12, 2026 14:43
@Manuthor Manuthor force-pushed the feat/key-rotation-scheduler branch from 43b5cdb to f4fcd04 Compare June 13, 2026 09:11
Manuthor and others added 14 commits June 14, 2026 09:47
@Manuthor
docs: add key auto-rotation specification
5876c9c 
Add comprehensive specification for scheduled key rotation covering:
- 6 rotation scenarios (plain, wrapping, wrapped, asymmetric, CoverCrypt, KEK)
- Rotation policy vendor attributes (x-rotate-interval, etc.)
- Server-side cron scheduler
- KMIP attribute tables (auto vs manual rotation semantics)
- Implementation roadmap (5 stacked PRs)

Ref: #900
@Manuthor
[auto-rotation feature] feat(rekey): Manual rotation for all key type…
0331838 
…s + test vectors (#969)

* feat(rekey): implement symmetric key ReKey with wrapping key re-wrap

- Implement KMIP ReKey for symmetric keys with name transfer per §4.4
- Support re-wrapping dependent keys when a wrapping key is rekeyed
- Add find_wrapped_by() to ObjectsStore trait (SQLite, PostgreSQL, MySQL)
- Fix: transfer Name attribute from old to new key during ReKey
- Fix: error on self-wrap when wrapping_key_id is user-supplied
- Fix: bypass ownership check for server-configured KEK

Tested with 37 vector tests (9 symmetric + 27 keypair + 1 security)

* fix: consolidate rekey operations using trait

* feat: consolidate Recertify operation
@Manuthor
docs(key-auto-rotation): update implementation roadmap from 5 PRs to …
7320374 
…4 (merge spec+manual into PR1)
@Manuthor
fix: PR review
dc9863b
@Manuthor
chore: update test_data repo
fb08e2c
@Manuthor
chore: update test_data repo
c190521
@Manuthor
fix: PR review
74b73f3
@Manuthor
fix: doc reviewed
0df8407
@Manuthor
fix: ReCertify KMIP 1.4 bad signature, remove useless privileged_user…
6aafb92 
…, deny modify rotation attributes, update bad KMIP spec refs, offset becomes i64
@Manuthor
fix(redis-findex): index wrapped key under the wrapping-key ID
a04a759
@Manuthor
fix: state restriction - PreActive and Compromise cannot be rotated
b77a466
@Manuthor
feat: Key-Set@Version + Server-Side Decrypt-With-Keyset
a387226
@Manuthor
ci: fix rebase and tests
0658072
@Manuthor
fix: wrap_and_cache must not attempt to wrap an HSM-resident key
2a28bb1
Manuthor and others added 5 commits June 14, 2026 09:47
@Manuthor
test: add negative test on renewal of non latest key of a key-set
2cceb3c
@Manuthor
fix: test on CRL check
1f221b3
@Manuthor
chore: update Nix expected hashes
31ffeed
@Manuthor
docs: update doc
3479b85
@Manuthor
[auto-rotation feature] PR 2 - ckms and Web UI updates (#988)
dcc5aa5 
* docs: add key auto-rotation specification

Add comprehensive specification for scheduled key rotation covering:
- 6 rotation scenarios (plain, wrapping, wrapped, asymmetric, CoverCrypt, KEK)
- Rotation policy vendor attributes (x-rotate-interval, etc.)
- Server-side cron scheduler
- KMIP attribute tables (auto vs manual rotation semantics)
- Implementation roadmap (5 stacked PRs)

Ref: #900

* fix: build

* chore: update Nix expected hashes
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch from 5911dc5 to dcc5aa5 Compare June 14, 2026 07:48
@Manuthor Manuthor force-pushed the feat/key-rotation-scheduler branch from fa2b67d to cf711aa Compare June 14, 2026 08:03
@Manuthor Manuthor force-pushed the feat/key-rotation-scheduler branch from cf711aa to bea7e61 Compare June 14, 2026 08:05
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch 5 times, most recently from f610a78 to 7b7cbd4 Compare June 19, 2026 21:39
@Manuthor Manuthor force-pushed the docs/key-autorotation-spec branch 2 times, most recently from 54a61cc to 411a05d Compare June 27, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Manuthor