Add secrets.keys_dir config option

2025-08-06 15:21:30 +02:00
parent 42a73dd07f
commit db8555a589
3 changed files with 237 additions and 17 deletions
--- a/docs/config.schema.json
+++ b/docs/config.schema.json
@@ -1528,14 +1528,6 @@
      "description": "Application secrets",
      "type": "object",
      "properties": {
-        "keys": {
-          "description": "List of private keys to use for signing and encrypting payloads",
-          "default": [],
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/KeyConfig"
-          }
-        },
        "encryption_file": {
          "description": "File containing the encryption key for secure cookies.",
          "type": "string"
@@ -1547,6 +1539,17 @@
          ],
          "type": "string",
          "pattern": "[0-9a-fA-F]{64}"
+        },
+        "keys": {
+          "description": "List of private keys to use for signing and encrypting payloads.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/KeyConfig"
+          }
+        },
+        "keys_dir": {
+          "description": "Directory of private keys to use for signing and encrypting payloads.",
+          "type": "string"
        }
      }
    },
--- a/docs/reference/configuration.md
+++ b/docs/reference/configuration.md
@@ -222,7 +222,7 @@ The secret is not updated when the content of the file changes.
 > Changing the encryption secret afterwards will lead to a loss of all encrypted
 > information in the database.

-### `secrets.keys`
+### Singing Keys

 The service can use a number of key types for signing.
 The following key types are supported:
@@ -232,15 +232,26 @@ The following key types are supported:
 - ECDSA with the P-384 (`secp384r1`) curve
 - ECDSA with the K-256 (`secp256k1`) curve

-Each entry in the list corresponds to one signing key used by MAS.
-The key can either be specified inline (with the `key` property),
-or loaded from a file (with the `key_file` property).
 The following key formats are supported:

 - PKCS#1 PEM or DER-encoded RSA private key
 - PKCS#8 PEM or DER-encoded RSA or ECDSA private key, encrypted or not
 - SEC1 PEM or DER-encoded ECDSA private key

+The keys can be given as a directory path via `secrets.keys_dir`
+or, alternatively, as an inline configuration list via `secrets.keys`.
+
+#### `secrets.keys_dir`
+
+Path to the directory containing MAS signing key files.
+Only keys that don’t require a password are supported.
+
+#### `secrets.keys`
+
+Each entry in the list corresponds to one signing key used by MAS.
+The key can either be specified inline (with the `key` property),
+or loaded from a file (with the `key_file` property).
+
 A [JWK Key ID] is automatically derived from each key.
 To override this default, set `kid` to a custom value.
 The `kid` can be any case-sensitive string value as long as it is unique to this list;