problem: key rotation for encrypted database values #12389

New issue

Open

opened 2026-05-03 02:20:54 +02:00 by Gusted · 0 comments

Gusted commented 2026-05-03 02:20:54 +02:00 (Migrated from codeberg.org)

Copy link

Does your problem still exist on the latest Forgejo version?

Yes, the problem still exists (tested locally with the latest development version)

About your usage of Forgejo

Contributor of Forgejo
Member of the Forgejo security team.
Self-hosts Forgejo.
Co-Maintainer of Codeberg.org's Forgejo instance.

Problem description

Forgejo encrypt some values in the database via two ways:

• keying, authored by me. The new way of doing encryption.
• secret, authored in 2019 in Gitea. Legacy way, has some less nice properties that you don't want for encryption.

Since keying was introduced the usages of secret have been converted to keying. Today only one usage of secret is left:
codeberg.org/forgejo/forgejo@b6658076a9/services/auth/source/ldap/source.go (L80)

If the SECRET_KEY (from which the encryption key is derived) is known via some way, the encrypted values in the database can be decrypted. There's no way in Forgejo to re-encrypt all of these values under a new key.

Moreover, once key rotation is added the following code block is no longer needed.

codeberg.org/forgejo/forgejo@b6658076a9/modules/setting/security.go (L266-L271)

This is issue was created as part of https://floss.social/@forgejo/116494296646568723; it is a long-standing known issue that hasn't previously been documented.

Potential workarounds

No response

Forgejo Version

N/A

Other details about your environment (software names and versions)

N/A

Solutions

Accepted solutions to address this problem will go here

### Does your problem still exist on the latest Forgejo version? Yes, the problem still exists (tested locally with the latest development version) ### About your usage of Forgejo Contributor of Forgejo Member of the Forgejo security team. Self-hosts Forgejo. Co-Maintainer of Codeberg.org's Forgejo instance. ### Problem description Forgejo encrypt some values in the database via two ways: - [keying](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/modules/keying/keying.go), authored by me. The new way of doing encryption. - [secret](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/modules/secret/secret.go), authored in 2019 in Gitea. Legacy way, has some less nice properties that you don't want for encryption. Since keying was introduced the usages of `secret` have been converted to `keying`. Today only one usage of `secret` is left: https://codeberg.org/forgejo/forgejo/src/commit/b6658076a96977cc1bc6d0b141d881d4589b74bf/services/auth/source/ldap/source.go#L80 If the `SECRET_KEY` (from which the encryption key is derived) is known via some way, the encrypted values in the database can be decrypted. There's no way in Forgejo to re-encrypt all of these values under a new key. Moreover, once key rotation is added the following code block is no longer needed. https://codeberg.org/forgejo/forgejo/src/commit/b6658076a96977cc1bc6d0b141d881d4589b74bf/modules/setting/security.go#L266-L271 This is issue was created as part of https://floss.social/@forgejo/116494296646568723; it is a long-standing known issue that hasn't previously been documented. ### Potential workarounds _No response_ ### Forgejo Version N/A ### Other details about your environment (software names and versions) N/A ### Solutions *Accepted solutions to address this problem will go here*

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

forgejo

bp-v15.0/forgejo-49f9cc7

v15.0/forgejo

v11.0/forgejo

renovate/forgejo-postcss

renovate/forgejo-github.com-fsnotify-fsnotify-1.x

renovate/forgejo-github.com-alecthomas-chroma-v2-2.x

renovate/forgejo-github.com-go-webauthn-webauthn-0.x

v14.0/forgejo

bp-v15.0/forgejo-2176403

bp-v14.0/forgejo-9767ceb

bp-v14.0/forgejo-d996dfb

v13.0/forgejo

bp-v13.0/forgejo-dc0a63e

bp-v13.0/forgejo-e7ef2eb

v12.0/forgejo

bp-v12.0/forgejo-cf1fda8-a511e37

bp-v11.0/forgejo-b52cec7

v7.0/forgejo

v10.0/forgejo

v9.0/forgejo

v8.0/forgejo

v1.21/forgejo

v1.20/forgejo

v1.19/forgejo

v1.18/forgejo

v1.17/forgejo

v14.0.5

v15.0.1

v11.0.13

v15.0.0

v14.0.4

v11.0.12

v16.0.0-dev

v14.0.3

v11.0.11

v14.0.2

v14.0.1

v13.0.5

v11.0.10

v14.0.0

v13.0.4

v11.0.9

v15.0.0-dev

v13.0.3

v11.0.8

v11.0.7

v13.0.2

v13.0.1

v13.0.0

v14.0.0-dev

v11.0.6

v12.0.4

v12.0.3

v11.0.5

v11.0.4

v12.0.2

v12.0.1

v12.0.0

v7.0.16

v11.0.3

v13.0.0-dev

v11.0.2

v7.0.15

v11.0.1

v11.0.0

v12.0.0-dev

v10.0.3

v10.0.2

v7.0.14

v7.0.13

v10.0.1

v10.0.0

v11.0.0-dev

v9.0.3

v7.0.12

v7.0.11

v9.0.2

v9.0.1

v7.0.10

v9.0.0

v10.0.0-dev

v8.0.3

v7.0.9

v8.0.2

v7.0.8

v8.0.1

v7.0.7

v7.0.6

v8.0.0

v9.0.0-dev

v7.0.5

v1.21.11-2

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v1.21.11-1

v1.21.11-0

v1.21.10-0

v8.0.0-dev

v1.21.8-0

v1.21.7-0

v1.21.6-0

v1.21.5-0

v1.21.4-0

v1.21.3-0

v1.20.6-1

v1.21.2-1

v1.21.2-0

v1.21.1-0

v1.20.6-0

v1.20.5-1

v1.21.0-rc2

v1.21.0-rc1

v1.20.5-0

v7.0.0-dev

v1.21.0-rc0

v1.20.4-1

v1.20.4-0

v1.20.3-0

v1.20.2-0

v1.20.1-0

v1.20.0

v1.19.4-0

v1.21.0-dev

v1.20.0-rc2

v1.19.3-0

v1.19.2-0

v1.19.1-0

v1.19.0-3

v1.19.0-2

v1.18.5-0

v1.20.0-dev

v1.19.0-rc0

v1.18.3-2

v1.18.3-1

v1.18.3-0

v1.18.2-1

v1.18.2-0

v1.18.1-0

v1.18.0-1

v1.18.0-0

v1.18.0-rc1-2

v1.18.0-rc1-1

v1.18.0-rc1

v1.18.0-rc0

v1.19.0-dev

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

sleepy/forgejo#12389

No description provided.