Rotating the owner passphrase re-wraps the same Subject KEK under the new passphrase, so the Subject KEK value is unchanged. As a result, the split-key unlock entries minted under the old passphrase keep working after a rotation:

  • the server-side enc_Ks(Subject KEK) entries (keyed by a hash of the client-only Ks), and
  • any live unlock cookies / relayed Ks headers, same-site and cross-site.

An owner who rotates because they believe the old passphrase was exposed would reasonably expect existing unlocks to stop working. They do not.

Proposed: on rotate (and ideally on disable), invalidate the outstanding unlock lookup entries for that subject so existing sessions must re-unlock with the new passphrase. Add a kernel test that proves an unlock obtained before the rotation no longer resolves after it.

Follow-up to #3594111. Part of the roadmap meta #3593605.

Comments

mably created an issue.