Two safety improvements to choosing a Master KEK.

  • Filter the key dropdown on both the global settings form and the per-tenant form to keys that can actually serve as a Master KEK: encryption keys that are 256-bit or have no declared size, dropping non-encryption keys and explicit non-256 sizes. It reads the key's type metadata only (no secret resolution). A single shared helper (MasterKeyOptions) does the filtering, and the currently selected key is always kept in the list so editing never silently drops it.
  • Nudge a rotation on key change: when the Master KEK actually changes, the form shows a warning that the change is non-destructive but leaves existing subjects on the old key until a rotation re-wraps them, with a link to run it (the tenant's rotation, or Vault subjects for the site-wide key).

French translations included. Code only; phpcs, phpstan and msgfmt pass.

Issue fork pdv-3593869

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

mably created an issue. See original summary.

mably opened merge request !14

mably’s picture

mably commented
Status: Active » Needs review

  • mably committed 01b4430c on 1.x 
    task: #3593869 Filter Master KEK selection to compatible keys; nudge...
mably’s picture

mably commented
Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.