Question: Support for rotating keys/manually managing keys

[AlterionX]

Rocket version: 0.4

Steps taken to answer question: Scanning the docs, reading up on stuff.

What documentation you believe should include an answer to this question: Either the state documentation or the cookies documentation.

Does Rocket offer any support for rotating keys used in Cookies/manually invalidating them through some form of IPC through a port on the local machine? I can just kill my rocket instance and swap the secret key, but I'd prefer something where I can rotate the keys while the server's still up and manage the migration of data encrypted with the old key to the new key.

I was thinking of implementing something like this, but was wondering if it was a good idea/why there's only one secret key/what that secret key is for (outside of cookie encryption).

[jebrosen]

To answer your questions about the present, in short: it is currently only used for private cookies, if #477 is accepted that might change, and there's currently no mechanism to update it.

I am curious what problem you are solving or threat you are protecting against by rotating the key while allowing a migration period: maybe I'm not being imaginative enough, but I think the secret key would be the least of your worries if you felt you needed to rotate it in this way.

[AlterionX]

I was just asking, since I used to work a a few payment processing companies that had a few services built around encryption and key rotation. While I'm unaware as to what threats they were guarding against, I was thinking of ways to integrate their security system with Rocket and what that would entail.

TL;DR I was exploring the problem space and this sounded interesting.