Olympus Docs
CookbookSecrets & encryption

Rotate the session signing key

Cookbook version of the session-signing-key rotation runbook

The full runbook is at Operate, Session signing key rotation. This is the condensed cookbook.

Steps

# 1. Generate new key
NEW=$(openssl rand -base64 32)

# 2. Stage new key alongside current as SESSION_SIGNING_KEY_NEXT
gh secret set SESSION_SIGNING_KEY_NEXT --body "$NEW"
gh workflow run deploy.yml

# Now Athena verifies signatures with EITHER key, writes new ones with current
# Existing user sessions continue to work

# 3. Promote
gh secret set SESSION_SIGNING_KEY --body "$NEW"
gh secret delete SESSION_SIGNING_KEY_NEXT
gh workflow run deploy.yml

# Now Athena verifies and writes with new key only
# Sessions signed during the staged window are still valid (verified by new key)
# Sessions signed before are invalidated (must re-log)

User-visible impact: any user logged in at the moment of step 3 must re-log. Acceptable for quarterly rotation; do at low-traffic time.

Rotate the encryption key with zero downtime

Cookbook version of the encryption-key-rotation runbook

Runtime configuration via env vars

Best practices for .env management

On this page

StepsRelated