Open
Description
ToolHive currently lacks any method to rotate/change the encryption password. Users must delete the keyring entry (with thv secret reset-keyring) and secrets_encrypted file and start over.
It would be good to have a method to do this.
We might also consider letting ToolHive generate a random password, assuming keyring access is verified on the user's system? (This could also imply an additional thv secret init --generate command to do this initially, and/or a question when running the first secret command?)
Potential workflow
Interactive version:
$ thv secret rotate-password
Enter the new encryption password:
# User enters new password, ToolHive re-encrypts the file, then updates the keyring entryNon-interactive version:
$ thv secret rotate-password --generate
# ToolHive generates a strong random password, re-encrypts the file, then updates the keyring entry
# IF keyring update fails for any reason, display the generated password to the user so they're not locked out of their file?