@striae-org/striae 7.1.3 → 8.0.1

package/shared/registry/registry-encryption.ts

@@ -0,0 +1,112 @@
+/**
+ * Symmetric AES-256-GCM encryption for key registry files stored in R2.
+ *
+ * Registry JSON is encrypted before upload and decrypted after fetch using
+ * a shared REGISTRY_ENCRYPTION_KEY (32-byte key, base64-encoded in env).
+ */
+
+export interface EncryptedRegistryEnvelope {
+  encrypted: true;
+  algorithm: 'AES-256-GCM';
+  version: '1.0';
+  iv: string;
+  ciphertext: string;
+}
+
+function base64UrlEncode(bytes: Uint8Array): string {
+  let binary = '';
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+function base64UrlDecode(encoded: string): Uint8Array {
+  let padded = encoded.replace(/-/g, '+').replace(/_/g, '/');
+  const pad = padded.length % 4;
+  if (pad === 2) padded += '==';
+  else if (pad === 3) padded += '=';
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
+function importKeyFromBase64(keyBase64: string): Promise<CryptoKey> {
+  const keyBytes = base64UrlDecode(keyBase64);
+  if (keyBytes.length !== 32) {
+    throw new Error(`Registry encryption key must be 32 bytes, got ${keyBytes.length}`);
+  }
+  return crypto.subtle.importKey(
+    'raw',
+    keyBytes as BufferSource,
+    { name: 'AES-GCM', length: 256 },
+    false,
+    ['encrypt', 'decrypt']
+  );
+}
+
+/**
+ * Encrypts registry JSON for storage in R2.
+ */
+export async function encryptRegistryJson(
+  plaintextJson: string,
+  keyBase64: string
+): Promise<EncryptedRegistryEnvelope> {
+  const key = await importKeyFromBase64(keyBase64);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintext = new TextEncoder().encode(plaintextJson);
+
+  const ciphertextBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    key,
+    plaintext as BufferSource
+  );
+
+  return {
+    encrypted: true,
+    algorithm: 'AES-256-GCM',
+    version: '1.0',
+    iv: base64UrlEncode(iv),
+    ciphertext: base64UrlEncode(new Uint8Array(ciphertextBuffer))
+  };
+}
+
+/**
+ * Decrypts an encrypted registry envelope back to JSON.
+ */
+export async function decryptRegistryJson(
+  envelope: EncryptedRegistryEnvelope,
+  keyBase64: string
+): Promise<string> {
+  const key = await importKeyFromBase64(keyBase64);
+  const iv = base64UrlDecode(envelope.iv);
+  const ciphertext = base64UrlDecode(envelope.ciphertext);
+
+  const plaintextBuffer = await crypto.subtle.decrypt(
+    { name: 'AES-GCM', iv: iv as BufferSource },
+    key,
+    ciphertext as BufferSource
+  );
+
+  return new TextDecoder().decode(plaintextBuffer);
+}
+
+/**
+ * Type guard to check if parsed JSON is an encrypted registry envelope.
+ */
+export function isEncryptedEnvelope(data: unknown): data is EncryptedRegistryEnvelope {
+  if (!data || typeof data !== 'object') {
+    return false;
+  }
+  const obj = data as Record<string, unknown>;
+  return (
+    obj.encrypted === true &&
+    obj.algorithm === 'AES-256-GCM' &&
+    obj.version === '1.0' &&
+    typeof obj.iv === 'string' &&
+    typeof obj.ciphertext === 'string'
+  );
+}

package/vite.config.ts

@@ -1,6 +1,7 @@
 import { reactRouter } from "@react-router/dev/vite";
 import { cloudflareDevProxy } from "@react-router/dev/vite/cloudflare";
 import { defineConfig } from "vite";
+import { getLoadContext } from "./load-context";
 
 export default defineConfig({
   server: {
@@ -14,7 +15,7 @@ export default defineConfig({
     tsconfigPaths: true,
   },
   plugins: [
-    cloudflareDevProxy(),
+    cloudflareDevProxy({ getLoadContext }),
     reactRouter(),
   ],
 });

package/workers/audit-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-worker",
-  "version": "7.1.3",
+  "version": "8.0.1",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.90.0"
+    "wrangler": "^4.103.0"
   }
 }

package/workers/audit-worker/src/crypto/data-at-rest.ts

@@ -6,84 +6,21 @@ import type {
   DataAtRestEnvelope,
   DecryptionTelemetryOutcome,
   Env,
-  KeyRegistryPayload,
   PrivateKeyRegistry
 } from '../types';
-
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
+import { fetchKeyRegistryFromR2 } from '../../../../shared/registry/r2-key-registry';
 
 function getNonEmptyString(value: unknown): string | null {
   return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
 }
 
-function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
-  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
-
-  if (registryJson) {
-    let parsedRegistry: unknown;
-
-    try {
-      parsedRegistry = JSON.parse(registryJson) as unknown;
-    } catch {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const rawKeys = payload.keys && typeof payload.keys === 'object'
-      ? payload.keys as Record<string, unknown>
-      : parsedRegistry as Record<string, unknown>;
-
-    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
-      if (keyId === 'activeKeyId' || keyId === 'keys') {
-        continue;
-      }
-
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
-    }
-
-    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
-      throw new Error('DATA_AT_REST active key ID is not present in DATA_AT_REST_ENCRYPTION_KEYS_JSON');
-    }
-
-    return {
-      activeKeyId: resolvedActiveKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
-  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error('Data-at-rest decryption key registry is not configured');
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-
-  return {
-    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
-    keys
-  };
+async function getDataAtRestPrivateKeyRegistry(env: Env): Promise<PrivateKeyRegistry> {
+  return fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'data-at-rest',
+    env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
 }
 
 function buildPrivateKeyCandidates(
@@ -312,7 +249,7 @@ export async function decryptAuditJsonWithRegistry(
   envelope: DataAtRestEnvelope,
   env: Env
 ): Promise<string> {
-  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const keyRegistry = await getDataAtRestPrivateKeyRegistry(env);
   const candidates = buildPrivateKeyCandidates(envelope.keyId, keyRegistry);
   const primaryKeyId = candidates[0]?.keyId ?? null;
   let lastError: unknown;

package/workers/audit-worker/src/types.ts

@@ -1,5 +1,7 @@
 export interface Env {
   STRIAE_AUDIT: R2Bucket;
+  STRIAE_CONFIG: R2Bucket;
+  REGISTRY_ENCRYPTION_KEY: string;
   DATA_AT_REST_ENCRYPTION_ENABLED?: string;
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
   DATA_AT_REST_ENCRYPTION_PUBLIC_KEY?: string;

package/workers/audit-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/audit-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-05-23",
+  "compatibility_date": "2026-06-20",
   "compatibility_flags": [
     "nodejs_compat"
   ], 
@@ -16,6 +16,10 @@
     {
       "binding": "STRIAE_AUDIT",
       "bucket_name": "AUDIT_BUCKET_NAME"
+    },
+    {
+      "binding": "STRIAE_CONFIG",
+      "bucket_name": "CONFIG_BUCKET_NAME"
     }
   ],
 

package/workers/data-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "data-worker",
-  "version": "7.1.3",
+  "version": "8.0.1",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,7 +8,7 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.14.9",
-    "wrangler": "^4.90.0"
+    "@cloudflare/vitest-pool-workers": "^0.16.18",
+    "wrangler": "^4.103.0"
   }
 }

package/workers/data-worker/src/handlers/decrypt-export.ts

@@ -52,7 +52,7 @@ export async function handleDecryptExport(
     }
 
     const recordKeyId = getNonEmptyString(keyId);
-    const decryptionContext = buildExportDecryptionContext(recordKeyId, env);
+    const decryptionContext = await buildExportDecryptionContext(recordKeyId, env);
 
     let plaintextData: string;
     try {

package/workers/data-worker/src/handlers/signing.ts

@@ -14,6 +14,7 @@ import {
   isValidConfirmationPayload,
   isValidManifestPayload
 } from '../signing-payload-utils';
+import { getManifestSigningKeyContext } from '../registry/key-registry';
 import type { CreateResponse, Env } from '../types';
 
 async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
@@ -22,10 +23,12 @@ async function signPayloadWithWorkerKey(payload: string, env: Env): Promise<{
   signedAt: string;
   value: string;
 }> {
+  const signingContext = await getManifestSigningKeyContext(env);
+
   return signWithWorkerKey(
     payload,
-    env.MANIFEST_SIGNING_PRIVATE_KEY,
-    env.MANIFEST_SIGNING_KEY_ID,
+    signingContext.privateKeyPem,
+    signingContext.keyId,
     FORENSIC_MANIFEST_SIGNATURE_ALGORITHM
   );
 }

package/workers/data-worker/src/registry/key-registry.ts

@@ -8,95 +8,14 @@ import type {
   DecryptionTelemetryOutcome,
   Env,
   ExportDecryptionContext,
-  KeyRegistryPayload,
   PrivateKeyRegistry
 } from '../types';
-
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
+import { fetchKeyRegistryFromR2 } from '../../../../shared/registry/r2-key-registry';
 
 export function getNonEmptyString(value: unknown): string | null {
   return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
 }
 
-function parsePrivateKeyRegistry(input: {
-  registryJson: string | undefined;
-  activeKeyId: string | undefined;
-  legacyKeyId: string | undefined;
-  legacyPrivateKey: string | undefined;
-  context: string;
-}): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(input.activeKeyId);
-  const registryJson = getNonEmptyString(input.registryJson);
-
-  if (registryJson) {
-    let parsedRegistry: unknown;
-
-    try {
-      parsedRegistry = JSON.parse(registryJson) as unknown;
-    } catch {
-      throw new Error(`${input.context} registry JSON is invalid`);
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error(`${input.context} registry JSON must be an object`);
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const rawKeys = payload.keys && typeof payload.keys === 'object'
-      ? payload.keys as Record<string, unknown>
-      : parsedRegistry as Record<string, unknown>;
-
-    for (const [keyId, pemValue] of Object.entries(rawKeys)) {
-      if (keyId === 'activeKeyId' || keyId === 'keys') {
-        continue;
-      }
-
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error(`${input.context} registry does not contain any usable keys`);
-    }
-
-    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
-      throw new Error(`${input.context} active key ID is not present in registry`);
-    }
-
-    return {
-      activeKeyId: resolvedActiveKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(input.legacyKeyId);
-  const legacyPrivateKey = getNonEmptyString(input.legacyPrivateKey);
-
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error(`${input.context} private key registry is not configured`);
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-  const resolvedActiveKeyId = configuredActiveKeyId ?? legacyKeyId;
-
-  return {
-    activeKeyId: resolvedActiveKeyId,
-    keys
-  };
-}
-
 function buildPrivateKeyCandidates(
   recordKeyId: string | null,
   registry: PrivateKeyRegistry
@@ -154,28 +73,51 @@ function logRegistryDecryptionTelemetry(input: {
   console.info('Key registry decryption resolved', details);
 }
 
-function getDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  return parsePrivateKeyRegistry({
-    registryJson: env.DATA_AT_REST_ENCRYPTION_KEYS_JSON,
-    activeKeyId: env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID,
-    legacyKeyId: env.DATA_AT_REST_ENCRYPTION_KEY_ID,
-    legacyPrivateKey: env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY,
-    context: 'Data-at-rest decryption'
-  });
+async function getDataAtRestPrivateKeyRegistry(env: Env): Promise<PrivateKeyRegistry> {
+  return fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'data-at-rest',
+    env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
 }
 
-function getExportPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  return parsePrivateKeyRegistry({
-    registryJson: env.EXPORT_ENCRYPTION_KEYS_JSON,
-    activeKeyId: env.EXPORT_ENCRYPTION_ACTIVE_KEY_ID,
-    legacyKeyId: env.EXPORT_ENCRYPTION_KEY_ID,
-    legacyPrivateKey: env.EXPORT_ENCRYPTION_PRIVATE_KEY,
-    context: 'Export decryption'
-  });
+async function getExportPrivateKeyRegistry(env: Env): Promise<PrivateKeyRegistry> {
+  return fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'export-encryption',
+    env.EXPORT_ENCRYPTION_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
+}
+
+export async function getManifestSigningKeyContext(env: Env): Promise<{ keyId: string; privateKeyPem: string }> {
+  const keyRegistry = await fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'manifest-signing',
+    env.MANIFEST_SIGNING_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
+
+  const resolvedKeyId = keyRegistry.activeKeyId;
+
+  if (!resolvedKeyId) {
+    throw new Error('Manifest signing active key ID is not configured');
+  }
+
+  const privateKeyPem = keyRegistry.keys[resolvedKeyId];
+  if (!privateKeyPem) {
+    throw new Error('Manifest signing active key ID is not present in key registry');
+  }
+
+  return {
+    keyId: resolvedKeyId,
+    privateKeyPem
+  };
 }
 
-export function buildExportDecryptionContext(keyId: string | null, env: Env): ExportDecryptionContext {
-  const keyRegistry = getExportPrivateKeyRegistry(env);
+export async function buildExportDecryptionContext(keyId: string | null, env: Env): Promise<ExportDecryptionContext> {
+  const keyRegistry = await getExportPrivateKeyRegistry(env);
   const candidates = buildPrivateKeyCandidates(keyId, keyRegistry);
 
   if (candidates.length === 0) {
@@ -194,7 +136,7 @@ export async function decryptJsonFromStorageWithRegistry(
   envelope: DataAtRestEnvelope,
   env: Env
 ): Promise<string> {
-  const keyRegistry = getDataAtRestPrivateKeyRegistry(env);
+  const keyRegistry = await getDataAtRestPrivateKeyRegistry(env);
   const candidates = buildPrivateKeyCandidates(getNonEmptyString(envelope.keyId), keyRegistry);
   const primaryKeyId = candidates[0]?.keyId ?? null;
   let lastError: unknown;

package/workers/data-worker/src/types.ts

@@ -1,7 +1,11 @@
 export interface Env {
   STRIAE_DATA: R2Bucket;
-  MANIFEST_SIGNING_PRIVATE_KEY: string;
-  MANIFEST_SIGNING_KEY_ID: string;
+  STRIAE_CONFIG: R2Bucket;
+  REGISTRY_ENCRYPTION_KEY: string;
+  MANIFEST_SIGNING_PRIVATE_KEY?: string;
+  MANIFEST_SIGNING_KEY_ID?: string;
+  MANIFEST_SIGNING_KEYS_JSON?: string;
+  MANIFEST_SIGNING_ACTIVE_KEY_ID?: string;
   EXPORT_ENCRYPTION_PRIVATE_KEY?: string;
   EXPORT_ENCRYPTION_KEY_ID?: string;
   EXPORT_ENCRYPTION_KEYS_JSON?: string;

package/workers/data-worker/wrangler.jsonc.example

@@ -3,7 +3,7 @@
   "account_id": "ACCOUNT_ID",
   "main": "src/data-worker.ts",
   "workers_dev": false,
-  "compatibility_date": "2026-05-23",
+  "compatibility_date": "2026-06-20",
   "compatibility_flags": [
     "nodejs_compat"
   ], 
@@ -16,6 +16,10 @@
     {
       "binding": "STRIAE_DATA",
       "bucket_name": "DATA_BUCKET_NAME"
+    },
+    {
+      "binding": "STRIAE_CONFIG",
+      "bucket_name": "CONFIG_BUCKET_NAME"
     }
   ],
 

package/workers/image-worker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "image-worker",
-  "version": "7.1.3",
+  "version": "8.0.1",
   "private": true,
   "scripts": {
     "deploy": "wrangler deploy",
@@ -8,6 +8,6 @@
     "start": "wrangler dev"
   },
   "devDependencies": {
-    "wrangler": "^4.90.0"
+    "wrangler": "^4.103.0"
   }
 }

package/workers/image-worker/src/security/key-registry.ts

@@ -5,13 +5,9 @@ import {
 import type {
   DecryptionTelemetryOutcome,
   Env,
-  KeyRegistryPayload,
   PrivateKeyRegistry
 } from '../types';
-
-function normalizePrivateKeyPem(rawValue: string): string {
-  return rawValue.trim().replace(/^['"]|['"]$/g, '').replace(/\\n/g, '\n');
-}
+import { fetchKeyRegistryFromR2 } from '../../../../shared/registry/r2-key-registry';
 
 function getNonEmptyString(value: unknown): string | null {
   return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
@@ -23,76 +19,19 @@ export function requireEncryptionUploadConfig(env: Env): void {
   }
 }
 
-export function requireEncryptionRetrievalConfig(env: Env): void {
-  const hasLegacyPrivateKey = typeof env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY === 'string' && env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY.trim().length > 0;
-  const hasRegistry = typeof env.DATA_AT_REST_ENCRYPTION_KEYS_JSON === 'string' && env.DATA_AT_REST_ENCRYPTION_KEYS_JSON.trim().length > 0;
-
-  if (!hasLegacyPrivateKey && !hasRegistry) {
-    throw new Error('Data-at-rest decryption registry is not configured for image retrieval');
-  }
+export function requireEncryptionRetrievalConfig(_env: Env): void {
+  // Key registry is now fetched from R2 at decryption time.
+  // This check is kept for interface compatibility but validation
+  // happens when fetchKeyRegistryFromR2 is called.
 }
 
-function parseDataAtRestPrivateKeyRegistry(env: Env): PrivateKeyRegistry {
-  const keys: Record<string, string> = {};
-  const configuredActiveKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID);
-  const registryJson = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEYS_JSON);
-
-  if (registryJson) {
-    let parsedRegistry: unknown;
-    try {
-      parsedRegistry = JSON.parse(registryJson) as unknown;
-    } catch {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON is not valid JSON');
-    }
-
-    if (!parsedRegistry || typeof parsedRegistry !== 'object') {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must be an object');
-    }
-
-    const payload = parsedRegistry as KeyRegistryPayload;
-    if (!payload.keys || typeof payload.keys !== 'object') {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON must include a keys object');
-    }
-
-    for (const [keyId, pemValue] of Object.entries(payload.keys as Record<string, unknown>)) {
-      const normalizedKeyId = getNonEmptyString(keyId);
-      const normalizedPem = getNonEmptyString(pemValue);
-      if (!normalizedKeyId || !normalizedPem) {
-        continue;
-      }
-
-      keys[normalizedKeyId] = normalizePrivateKeyPem(normalizedPem);
-    }
-
-    const payloadActiveKeyId = getNonEmptyString(payload.activeKeyId);
-    const resolvedActiveKeyId = configuredActiveKeyId ?? payloadActiveKeyId;
-
-    if (Object.keys(keys).length === 0) {
-      throw new Error('DATA_AT_REST_ENCRYPTION_KEYS_JSON does not contain any usable keys');
-    }
-
-    if (resolvedActiveKeyId && !keys[resolvedActiveKeyId]) {
-      throw new Error('DATA_AT_REST active key ID is not present in DATA_AT_REST_ENCRYPTION_KEYS_JSON');
-    }
-
-    return {
-      activeKeyId: resolvedActiveKeyId ?? null,
-      keys
-    };
-  }
-
-  const legacyKeyId = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_KEY_ID);
-  const legacyPrivateKey = getNonEmptyString(env.DATA_AT_REST_ENCRYPTION_PRIVATE_KEY);
-  if (!legacyKeyId || !legacyPrivateKey) {
-    throw new Error('Data-at-rest decryption key registry is not configured');
-  }
-
-  keys[legacyKeyId] = normalizePrivateKeyPem(legacyPrivateKey);
-
-  return {
-    activeKeyId: configuredActiveKeyId ?? legacyKeyId,
-    keys
-  };
+async function getDataAtRestPrivateKeyRegistry(env: Env): Promise<PrivateKeyRegistry> {
+  return fetchKeyRegistryFromR2(
+    env.STRIAE_CONFIG,
+    'data-at-rest',
+    env.DATA_AT_REST_ENCRYPTION_ACTIVE_KEY_ID,
+    env.REGISTRY_ENCRYPTION_KEY
+  );
 }
 
 function buildPrivateKeyCandidates(
@@ -156,7 +95,7 @@ export async function decryptBinaryWithRegistry(
   envelope: DataAtRestEnvelope,
   env: Env
 ): Promise<ArrayBuffer> {
-  const keyRegistry = parseDataAtRestPrivateKeyRegistry(env);
+  const keyRegistry = await getDataAtRestPrivateKeyRegistry(env);
   const candidates = buildPrivateKeyCandidates(envelope.keyId, keyRegistry);
   const primaryKeyId = candidates[0]?.keyId ?? null;
   let lastError: unknown;

package/workers/image-worker/src/types.ts

@@ -1,5 +1,7 @@
 export interface Env {
   STRIAE_FILES: R2Bucket;
+  STRIAE_CONFIG: R2Bucket;
+  REGISTRY_ENCRYPTION_KEY: string;
   DATA_AT_REST_ENCRYPTION_PRIVATE_KEY?: string;
   DATA_AT_REST_ENCRYPTION_PUBLIC_KEY: string;
   DATA_AT_REST_ENCRYPTION_KEY_ID: string;