Support for rotating rotating master key used for server-side encryption #2964
Description
Hi,
It would be great if the master key used for encryption could be replaced, e.g. in case the key has been compromised. This has actually been discussed with @schiessle some time ago in an old ownCloud issue which is rotting in the backlog, so let's continue this here and hopefully make it come true :D
To refresh memory, here an essential comment by @schiessle copied from the old discussion which helps to kickstart:
[..], the master key is encrypted with the secret stored in config.php. You can't change this secret easily because it is also used in other places. So if we want to be able to replace the master key with a new one and also want a new password we need to introduce a new config.php option to store the master key password. If it is set we use this password, if not we fall back to the "secret" for backward compatibility.
The hard part of replacing the master key is not to generate a new one and set a new password somehow but to re-encrypt all files with the new key! Therefore we would need a occ call similar to "encrypt-/decrypt-all" and some extended logic to place a "read-key" and a "write-key" in the session. By default this would be the same keys. But in case of a "change master key call" we could add the old key as "read-key" and the new key as "write-key" and then read all existing files and writing them to new ones. So this involved quite some work as you can see if you look at the encrypt-all and decrypt-all commands.