hashicorp · sgmiller · Jan 21, 2021 · Jan 22, 2021 · Jan 22, 2021 · Jan 25, 2021
diff --git a/api/sys_rotate.go b/api/sys_rotate.go
@@ -68,10 +68,41 @@ func (c *Sys) KeyStatus() (*KeyStatus, error) {
 	}
 	result.InstallTime = installTime
 
+	encryptionsRaw, ok := secret.Data["encryptions"]
+	if !ok {
+		return nil, errors.New("encryptions not found in response")
+	}
+	encryptions, ok := encryptionsRaw.(json.Number)
+	if !ok {
+		return nil, errors.New("could not convert encryptions to a number")
+	}
+	encryptions64, err := encryptions.Int64()
+	if err != nil {
+		return nil, err
+	}
+	result.Encryptions = int(encryptions64)
+
+	localEncryptionsRaw, ok := secret.Data["local_encryptions"]
+	if !ok {
+		return nil, errors.New("local encryptions not found in response")
+	}
+	localEncryptions, ok := localEncryptionsRaw.(json.Number)
+	if !ok {
+		return nil, errors.New("could not convert local_encryptions to a number")
+	}
+
+	localEncryptions64, err := localEncryptions.Int64()
+	if err != nil {
+		return nil, err
+	}
+	result.LocalEncryptions = int(localEncryptions64)
+
 	return &result, err
 }
 
 type KeyStatus struct {
-	Term        int       `json:"term"`
-	InstallTime time.Time `json:"install_time"`
+	Term             int       `json:"term"`
+	InstallTime      time.Time `json:"install_time"`
+	Encryptions      int       `json:"encryptions"`
+	LocalEncryptions int       `json:"local_encryptions"`
 }
diff --git a/command/base_helpers.go b/command/base_helpers.go
@@ -193,6 +193,7 @@ func printKeyStatus(ks *api.KeyStatus) string {
 	return columnOutput([]string{
 		fmt.Sprintf("Key Term | %d", ks.Term),
 		fmt.Sprintf("Install Time | %s", ks.InstallTime.UTC().Format(time.RFC822)),
+		fmt.Sprintf("Encryption Count | %d", ks.Encryptions),
 	}, nil)
 }
 

diff --git a/http/sys_rotate_test.go b/http/sys_rotate_test.go
@@ -36,15 +36,16 @@ func TestSysRotate(t *testing.T) {
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
 
-	actualInstallTime, ok := actual["data"].(map[string]interface{})["install_time"]
-	if !ok || actualInstallTime == "" {
-		t.Fatal("install_time missing in data")
+	for _, field := range []string{"install_time", "encryptions", "local_encryptions"} {
+		actualVal, ok := actual["data"].(map[string]interface{})[field]
+		if !ok || actualVal == "" {
+			t.Fatal(field, " missing in data")
+		}
+		expected["data"].(map[string]interface{})[field] = actualVal
+		expected[field] = actualVal
 	}
-	expected["data"].(map[string]interface{})["install_time"] = actualInstallTime
-	expected["install_time"] = actualInstallTime
 
 	expected["request_id"] = actual["request_id"]
-
 	if diff := deep.Equal(actual, expected); diff != nil {
 		t.Fatal(diff)
 	}

diff --git a/internalshared/configutil/barrier.go b/internalshared/configutil/barrier.go
@@ -0,0 +1,29 @@
+package configutil
+
+import (
+	"time"
+)
+
+// 10% shy of the NIST recommended maximum, leaving a buffer to account for
+// tracking losses.
+const AbsoluteOperationMaximum = int64(3865470566)
+
+var DefaultRotationConfig = KeyRotationConfig{
+	MaxOperations: AbsoluteOperationMaximum,
+}
+
+type KeyRotationConfig struct {
+	MaxOperations int64
+	Interval      time.Duration
+	nextRotation             time.Time
+}
+
+func (c *KeyRotationConfig) Sanitize() {
+	if c.MaxOperations == 0 || c.MaxOperations > AbsoluteOperationMaximum {
+		c.MaxOperations = AbsoluteOperationMaximum
+	}
+}
+
+func (c *KeyRotationConfig) Equals(config KeyRotationConfig) bool {
+	return c.MaxOperations == config.MaxOperations && c.Interval == config.Interval
+}
diff --git a/vault/activity/activity_log.pb.go b/vault/activity/activity_log.pb.go
diff --git a/vault/barrier.go b/vault/barrier.go
@@ -6,6 +6,7 @@ import (
 	"io"
 	"time"
 
+	"github.com/hashicorp/vault/internalshared/configutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -136,12 +137,28 @@ type SecurityBarrier interface {
 	// ActiveKeyInfo is used to inform details about the active key
 	ActiveKeyInfo() (*KeyInfo, error)
 
+	// RotationConfig returns the auto-rotation config for the barrier key
+	RotationConfig() (configutil.KeyRotationConfig, error)
+
+	// SetRotationConfig updates the auto-rotation config for the barrier key
+	SetRotationConfig(ctx context.Context, config configutil.KeyRotationConfig) error
+
 	// Rekey is used to change the master key used to protect the keyring
 	Rekey(context.Context, []byte) error
 
 	// For replication we must send over the keyring, so this must be available
 	Keyring() (*Keyring, error)
 
+	// For encryption count shipping, a function which handles updating local encryption counts if the consumer succeeds.
+	// This isolates the barrier code from the replication system
+	ConsumeEncryptionCount(consumer func(int64) error) error
+
+	// Add encryption counts from a remote source (downstream cluster node)
+	AddRemoteEncryptions(encryptions int64)
+
+	// Check whether an automatic rotation is due
+	CheckBarrierAutoRotate(ctx context.Context, rand io.Reader) error
+
 	// SecurityBarrier must provide the storage APIs
 	logical.Storage
 
@@ -175,6 +192,8 @@ type BarrierEncryptor interface {
 
 // KeyInfo is used to convey information about the encryption key
 type KeyInfo struct {
-	Term        int
-	InstallTime time.Time
+	Term             int
+	InstallTime      time.Time
+	Encryptions      int64
+	LocalEncryptions int64
 }