Skip to content

Rotate Keys and Secrets

Caracal uses secret material for zone encryption, mandate signing, audit integrity, stream signatures, service exchange, admin access, Coordinator access, database access, and Redis access.

MaterialPurpose
ZONE_KEKEncrypts zone secrets and signing material.
Zone signing keysSign mandates exposed through STS JWKS.
AUDIT_HMAC_KEYSigns/verifies audit evidence.
STREAMS_HMAC_KEYSigns Redis stream messages.
GATEWAY_STS_HMAC_KEYAuthenticates Gateway exchanges to STS.
CARACAL_ADMIN_TOKENBootstrap/operator API access.
CARACAL_COORDINATOR_TOKENCoordinator agent/delegation management.
Postgres and Redis passwordsStorage access.

Generated operator secrets are file-backed inside a private operator directory. Local development stores them outside the repository; released self-hosted runtimes store them under $CARACAL_HOME/secrets unless CARACAL_SECRETS_DIR points to another operator-managed directory. Cloud deployments should use the platform secret manager and mount secrets into services through *_FILE paths or CARACAL_SECRETS_DIR.

Never mount operator secrets into agent workspaces or containers. Agents should receive only application client secrets at provisioning time or short-lived resource mandates from caracal run.

  • Rotate one class of material at a time.
  • Keep old verification material available until existing tokens, stream messages, or audit replay windows drain.
  • Verify /ready, audit ingestion, revocation propagation, and Gateway exchange after each rotation.
  • Record who rotated, when, why, new secret location, and rollback window.
flowchart LR
  Prepare[Prepare new secret] --> Deploy[Deploy secret and config]
  Deploy --> Roll[Roll dependent service]
  Roll --> Verify[Verify readiness, audit, JWKS, and revocation]
  Verify --> Retire[Retire old material after safety window]
KeyServices to rollVerify
ZONE_KEKAPI and STS after coordinated key plan.Zone secrets decrypt and STS can read active signing material.
Zone signing keySTS, then verifiers after JWKS cache windows.JWKS exposes expected key IDs and old mandates expire or verify during overlap.
AUDIT_HMAC_KEYProducers and Audit verifier: API, STS, Gateway, Audit, Control.Audit ingestion accepts new events and rejects mismatched signatures.
STREAMS_HMAC_KEYProducers and consumers: API, STS, Gateway, Coordinator, Audit.Consumers accept new stream messages and pending entries drain.
GATEWAY_STS_HMAC_KEYAPI, STS, and Gateway.Gateway exchange succeeds and failed HMAC attempts are denied.
CARACAL_ADMIN_TOKENAPI, Console/Control clients, Control plugin.Old token fails; Console and automation authenticate with the replacement.
CARACAL_COORDINATOR_TOKENCoordinator and Console/operator clients.Agent/delegation views load and old token fails.
SymptomCheck
JWKS clients reject mandates after rotationIssuer URL, JWKS cache age, key overlap window, and STS JWKS health.
Audit DLQ growsProducer and Audit AUDIT_HMAC_KEY mismatch.
Stream consumers reject messagesProducer and consumer STREAMS_HMAC_KEY mismatch.
Gateway exchange failsGATEWAY_STS_HMAC_KEY mismatch between Gateway and STS.

Use Operate PostgreSQL and Operate Redis Streams to verify durable state and event propagation.