Home > database >  KMS rotation process
KMS rotation process

Time:07-28

I want to implement an envelope encryption using KMS.

I would encrypt few properties in a no sql db, is the first time that I'm doing it and for what I have read I will need to save my encrypted data key along the data.

My question is, at some point I would like to rotate the CMK key that KMS is using to encrypt the data key, for that scenario, I would need to write a process to re-encrypt my data key with the new CMK that KMS will use?, do I need to change the encrypted data key with a new one?

CodePudding user response:

would need to write a process to re-encrypt my data key with the new CMK that KMS will use?, do I need to change the encrypted data key with a new one?

If you use automated rotation, you don't have to do anything in terms of data keys. They are not affected by rotation. From docs:

automatic key rotation has no effect on the data that the KMS key protects. It does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key.

But if you use manual rotation, you may have to re-encrypt everything. From docs:

If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available.

  • Related