Skip to content

KEK Rotate-and-Rewrap Procedure (Draft)

Hierarchies

Client evidence

user PIN → PBKDF2 → AES-256-GCM envelope → evidence ciphertext

Gateway alert store (B0+)

ALERT_DATA_KEK (KEK) → wrap per-row DEK → encrypt field with DEK + AAD(tenant_id:alert_id:field)
kek_key_id identifies which KEK wrapped the DEK (default env:ALERT_DATA_KEK).

Rotate gateway data KEK (never env-swap alone)

  1. Generate new 32-byte KEK; register as kek_key_id = env:ALERT_DATA_KEK_v2 (or KMS id).
  2. Keep old KEK addressable in a registry until rewrap completes.
  3. Background job: for each alert row, unwrap DEK with old KEK, wrap with new KEK, update wrapped_dek + kek_key_id.
  4. Verify sample decrypts; then retire old KEK from hot config.
  5. Document cutover time for DPIA.

Rotate gateway signing keypair

  1. pnpm --filter @waspada/gateway-api provision → new PEM pair.
  2. Deploy dual-verify window: accept signatures from old and new public keys.
  3. Switch signing to new private key.
  4. After grace period, remove old public key from verify set.
  5. Partners: rotate PARTNER_KEYS_JSON entries independently (max keys per partner enforced).

Incident: KEK compromise

Treat as data breach for ciphertext that can be unwrapped. Rotate KEK, rewrap if DEKs still valid, force re-encrypt or shred per legal advice.

Waspada AI: Enterprise infrastructure powering public defense.