rotate keys wrapped with older versions

Author: vishesh92

api/src/main/java/org/apache/cloudstack/kms/KMSManager.java

@@ -127,6 +127,32 @@ public interface KMSManager extends Manager, Configurable {
             ConfigKey.Scope.Global
     );
 
+    /**
+     * Global: batch size for background rewrap operations
+     */
+    ConfigKey<Integer> KMSRewrapBatchSize = new ConfigKey<>(
+            "Advanced",
+            Integer.class,
+            "kms.rewrap.batch.size",
+            "50",
+            "Number of wrapped keys to rewrap per batch in background job",
+            true,
+            ConfigKey.Scope.Global
+    );
+
+    /**
+     * Global: interval for background rewrap job
+     */
+    ConfigKey<Long> KMSRewrapIntervalMs = new ConfigKey<>(
+            "Advanced",
+            Long.class,
+            "kms.rewrap.interval.ms",
+            "300000",
+            "Interval in milliseconds between background rewrap job executions (default: 5 minutes)",
+            true,
+            ConfigKey.Scope.Global
+    );
+
     // ==================== Provider Management ====================
 
     /**
@@ -161,63 +187,6 @@ public interface KMSManager extends Manager, Configurable {
      */
     boolean isKmsEnabled(Long zoneId);
 
-    // ==================== KEK Management ====================
-
-    /**
-     * Create a new KEK for a zone and purpose
-     *
-     * @param zoneId  the zone ID
-     * @param purpose the key purpose
-     * @param label   optional custom label (null for auto-generated)
-     * @param keyBits key size in bits
-     * @return the KEK identifier
-     * @throws KMSException if creation fails
-     */
-    String createKek(Long zoneId, KeyPurpose purpose, String label, int keyBits) throws KMSException;
-
-    /**
-     * Delete a KEK (WARNING: makes all DEKs wrapped by it unrecoverable)
-     *
-     * @param zoneId the zone ID
-     * @param kekId  the KEK identifier
-     * @throws KMSException if deletion fails
-     */
-    void deleteKek(Long zoneId, String kekId) throws KMSException;
-
-    /**
-     * List KEKs for a zone and purpose
-     *
-     * @param zoneId  the zone ID
-     * @param purpose the purpose filter (null for all)
-     * @return list of KEK identifiers
-     * @throws KMSException if listing fails
-     */
-    List<String> listKeks(Long zoneId, KeyPurpose purpose) throws KMSException;
-
-    /**
-     * Check if a KEK is available
-     *
-     * @param zoneId the zone ID
-     * @param kekId  the KEK identifier
-     * @return true if available
-     * @throws KMSException if check fails
-     */
-    boolean isKekAvailable(Long zoneId, String kekId) throws KMSException;
-
-    /**
-     * Rotate a KEK (create new one and rewrap all DEKs)
-     *
-     * @param zoneId      the zone ID
-     * @param purpose     the purpose
-     * @param oldKekLabel the old KEK label (must be specified)
-     * @param newKekLabel the new KEK label (null for auto-generated)
-     * @param keyBits     the new KEK size
-     * @return the new KEK identifier
-     * @throws KMSException if rotation fails
-     */
-    String rotateKek(Long zoneId, KeyPurpose purpose, String oldKekLabel,
-            String newKekLabel, int keyBits) throws KMSException;
-
     // ==================== DEK Operations ====================
 
     /**
@@ -233,15 +202,6 @@ String rotateKek(Long zoneId, KeyPurpose purpose, String oldKekLabel,
 
     // ==================== Health & Status ====================
 
-    /**
-     * Check KMS provider health for a zone
-     *
-     * @param zoneId the zone ID (null for global)
-     * @return true if healthy
-     * @throws KMSException if health check fails critically
-     */
-    boolean healthCheck(Long zoneId) throws KMSException;
-
     // ==================== User KEK Management ====================
 
     /**
@@ -274,20 +234,11 @@ KMSKey createUserKMSKey(Long accountId, Long domainId, Long zoneId,
     List<? extends KMSKey> listUserKMSKeys(Long accountId, Long domainId, Long zoneId,
                                           KeyPurpose purpose, KMSKey.State state);
 
-    /**
-     * Get a KMS key by UUID (with permission check)
-     *
-     * @param uuid           the key UUID
-     * @param callerAccountId the caller's account ID
-     * @return the KMS key, or null if not found or no permission
-     */
-    KMSKey getUserKMSKey(String uuid, Long callerAccountId);
-
     /**
      * Check if caller has permission to use a KMS key
      *
      * @param callerAccountId the caller's account ID
-     * @param keyUuid         the key UUID
+     * @param key         the KMS key
      * @return true if caller has permission
      */
     boolean hasPermission(Long callerAccountId, KMSKey key);
@@ -305,7 +256,7 @@ List<? extends KMSKey> listUserKMSKeys(Long accountId, Long domainId, Long zoneI
     /**
      * Generate and wrap a DEK using a specific KMS key UUID
      *
-     * @param kekUuid        the KMS key UUID
+     * @param kmsKey        the KMS key
      * @param callerAccountId the caller's account ID
      * @return wrapped key ready for database storage
      * @throws KMSException if operation fails
@@ -364,17 +315,6 @@ List<? extends KMSKey> listUserKMSKeys(Long accountId, Long domainId, Long zoneI
      */
     String rotateKMSKey(RotateKMSKeyCmd cmd) throws KMSException;
 
-    /**
-     * Gradually rewrap all wrapped keys for a KMS key to use new KEK version
-     *
-     * @param kmsKeyId KMS key ID
-     * @param newKekVersionId New active KEK version ID
-     * @param batchSize Number of keys to process per batch
-     * @return Number of keys successfully rewrapped
-     * @throws KMSException if rewrap fails
-     */
-    int rewrapWrappedKeysForKMSKey(Long kmsKeyId, Long newKekVersionId, int batchSize) throws KMSException;
-
     /**
      * Migrate passphrase-based volumes to KMS encryption
      *
@@ -383,4 +323,12 @@ List<? extends KMSKey> listUserKMSKeys(Long accountId, Long domainId, Long zoneI
      * @throws KMSException if migration fails
      */
     int migrateVolumesToKMS(MigrateVolumesToKMSCmd cmd) throws KMSException;
+
+    /**
+     * Delete all KMS keys owned by an account (called during account cleanup)
+     *
+     * @param accountId the account ID
+     * @return true if all keys were successfully deleted
+     */
+    boolean deleteKMSKeysByAccountId(Long accountId);
 }

engine/schema/src/main/java/org/apache/cloudstack/kms/dao/KMSKekVersionDao.java

@@ -47,4 +47,10 @@ public interface KMSKekVersionDao extends GenericDao<KMSKekVersionVO, Long> {
      * Find a KEK version by KEK label
      */
     KMSKekVersionVO findByKekLabel(String kekLabel);
+
+    /**
+     * Find all KEK versions with a specific status
+     * (useful for background jobs to find versions needing processing)
+     */
+    List<KMSKekVersionVO> findByStatus(KMSKekVersionVO.Status status);
 }

engine/schema/src/main/java/org/apache/cloudstack/kms/dao/KMSKekVersionDaoImpl.java

@@ -76,4 +76,11 @@ public KMSKekVersionVO findByKekLabel(String kekLabel) {
         sc.setParameters("kekLabel", kekLabel);
         return findOneBy(sc);
     }
+
+    @Override
+    public List<KMSKekVersionVO> findByStatus(KMSKekVersionVO.Status status) {
+        SearchCriteria<KMSKekVersionVO> sc = allFieldSearch.create();
+        sc.setParameters("status", status);
+        return listBy(sc);
+    }
 }

engine/schema/src/main/java/org/apache/cloudstack/kms/dao/KMSWrappedKeyDao.java

@@ -62,6 +62,16 @@ public interface KMSWrappedKeyDao extends GenericDao<KMSWrappedKeyVO, Long> {
      */
     List<KMSWrappedKeyVO> listByKekVersionId(Long kekVersionId);
 
+    /**
+     * List wrapped keys using a specific KEK version with pagination limit
+     * (useful for batch processing in background jobs)
+     *
+     * @param kekVersionId the KEK version ID (FK to kms_kek_versions)
+     * @param limit maximum number of keys to return
+     * @return list of wrapped keys (limited to specified count)
+     */
+    List<KMSWrappedKeyVO> listByKekVersionId(Long kekVersionId, int limit);
+
     /**
      * List wrapped keys for a KMS key that need re-encryption (not using specified version)
      *

engine/schema/src/main/java/org/apache/cloudstack/kms/dao/KMSWrappedKeyDaoImpl.java

@@ -17,6 +17,7 @@
 
 package org.apache.cloudstack.kms.dao;
 
+import com.cloud.utils.db.Filter;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@@ -81,6 +82,14 @@ public List<KMSWrappedKeyVO> listByKekVersionId(Long kekVersionId) {
         return listBy(sc);
     }
 
+    @Override
+    public List<KMSWrappedKeyVO> listByKekVersionId(Long kekVersionId, int limit) {
+        SearchCriteria<KMSWrappedKeyVO> sc = allFieldSearch.create();
+        sc.setParameters("kekVersionId", kekVersionId);
+        Filter filter = new Filter(limit);
+        return listBy(sc, filter);
+    }
+
     @Override
     public List<KMSWrappedKeyVO> listWrappedKeysForRewrap(long kmsKeyId, long excludeKekVersionId) {
             SearchCriteria<KMSWrappedKeyVO> sc = rewrapExcludeVersionSearch.create();

engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql

@@ -114,8 +114,8 @@ CREATE TABLE IF NOT EXISTS `cloud`.`kms_wrapped_key` (
     INDEX `idx_kms_key_id` (`kms_key_id`, `removed`),
     INDEX `idx_kek_version_id` (`kek_version_id`, `removed`),
     INDEX `idx_zone_id` (`zone_id`, `removed`),
-    CONSTRAINT `fk_kms_wrapped_key__kms_key_id` FOREIGN KEY (`kms_key_id`) REFERENCES `kms_keys`(`id`) ON DELETE RESTRICT,
-    CONSTRAINT `fk_kms_wrapped_key__kek_version_id` FOREIGN KEY (`kek_version_id`) REFERENCES `kms_kek_versions`(`id`) ON DELETE RESTRICT,
+    CONSTRAINT `fk_kms_wrapped_key__kms_key_id` FOREIGN KEY (`kms_key_id`) REFERENCES `kms_keys`(`id`) ON DELETE CASCADE,
+    CONSTRAINT `fk_kms_wrapped_key__kek_version_id` FOREIGN KEY (`kek_version_id`) REFERENCES `kms_kek_versions`(`id`) ON DELETE CASCADE,
     CONSTRAINT `fk_kms_wrapped_key__zone_id` FOREIGN KEY (`zone_id`) REFERENCES `data_center`(`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='KMS wrapped encryption keys (DEKs) - references kms_keys for KEK metadata and kek_versions for specific version';
 

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -315,6 +315,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     private NetworkPermissionDao networkPermissionDao;
     @Inject
     private SslCertDao sslCertDao;
+    @Inject
+    private org.apache.cloudstack.kms.KMSManager kmsManager;
 
     private List<QuerySelector> _querySelectors;
 
@@ -1215,6 +1217,17 @@ public int compare(NetworkVO network1, NetworkVO network2) {
             // Delete Webhooks
             deleteWebhooksForAccount(accountId);
 
+            // Delete KMS keys
+            try {
+                if (!kmsManager.deleteKMSKeysByAccountId(accountId)) {
+                    logger.warn("Failed to delete all KMS keys for account {}", account);
+                    accountCleanupNeeded = true;
+                }
+            } catch (Exception e) {
+                logger.error("Error deleting KMS keys for account {}: {}", account, e.getMessage(), e);
+                accountCleanupNeeded = true;
+            }
+
             return true;
         } catch (Exception ex) {
             logger.warn("Failed to cleanup account " + account + " due to ", ex);