Add support for re-encrypting streams with new key (#4296)

This adds a new `prev_key` field to the configuration file to allow transitioning from one encryption key to another. Signed-off-by: Neil Twigg <neil@nats.io>
2026-04-02 03:38:42 -07:00 · 2023-07-27 10:10:08 +01:00
parent 4c41c765f7 bc78e86388
commit b22cdf18fe
8 changed files with 282 additions and 123 deletions
--- a/server/stream.go
+++ b/server/stream.go
@@ -3365,12 +3365,13 @@ func (mset *stream) setupStore(fsCfg *FileStoreConfig) error {
 		mset.store = ms
 	case FileStorage:
 		s := mset.srv
-		prf := s.jsKeyGen(mset.acc.Name)
+		prf := s.jsKeyGen(s.getOpts().JetStreamKey, mset.acc.Name)
 		if prf != nil {
 			// We are encrypted here, fill in correct cipher selection.
 			fsCfg.Cipher = s.getOpts().JetStreamCipher
 		}
-		fs, err := newFileStoreWithCreated(*fsCfg, mset.cfg, mset.created, prf)
+		oldprf := s.jsKeyGen(s.getOpts().JetStreamOldKey, mset.acc.Name)
+		fs, err := newFileStoreWithCreated(*fsCfg, mset.cfg, mset.created, prf, oldprf)
 		if err != nil {
 			mset.mu.Unlock()
 			return err