Rotating the owner passphrase re-wraps the same Subject KEK under the new passphrase, so the Subject KEK value is unchanged. As a result, the split-key unlock entries minted under the old passphrase keep working after a rotation:
- the server-side
enc_Ks(Subject KEK)entries (keyed by a hash of the client-onlyKs), and - any live unlock cookies / relayed
Ksheaders, same-site and cross-site.
An owner who rotates because they believe the old passphrase was exposed would reasonably expect existing unlocks to stop working. They do not.
Proposed: on rotate (and ideally on disable), invalidate the outstanding unlock lookup entries for that subject so existing sessions must re-unlock with the new passphrase. Add a kernel test that proves an unlock obtained before the rotation no longer resolves after it.
Follow-up to #3594111. Part of the roadmap meta #3593605.
Comments