Olympus Docs
CookbookSecrets & encryption

Rotate the encryption key with zero downtime

Cookbook version of the encryption-key-rotation runbook

The full runbook is at Operate, Encryption key rotation. This page is the condensed cookbook version.

Steps

# 1. Generate new key
NEW=$(openssl rand -base64 32)

# 2. Set as ENCRYPTION_KEY_NEXT alongside current ENCRYPTION_KEY
gh secret set ENCRYPTION_KEY_NEXT --body "$NEW"
gh workflow run deploy.yml
# Wait for deploy to complete

# 3. Run the migration
ssh prod 'podman exec olympus-athena-1 \
  bun run /app/node_modules/@olympusoss/sdk/src/migrate-encryption-key.ts'

# 4. Promote new key
gh secret set ENCRYPTION_KEY --body "$NEW"
gh secret delete ENCRYPTION_KEY_NEXT
gh workflow run deploy.yml

# 5. Verify
ssh prod 'podman exec olympus-athena-1 node -e \
  "require(\"@olympusoss/sdk\").getSetting(\"ciam\", \"test_key\").then(v => console.log(\"OK\"))"'

See the full runbook for failure-mode handling.

Recover from a lost encryption key

What to do when ENCRYPTION_KEY is irretrievably lost

Rotate the session signing key

Cookbook version of the session-signing-key rotation runbook

On this page

StepsRelated