I want to implement an envelope encryption using KMS.
I would encrypt few properties in a no sql db, is the first time that I'm doing it and for what I have read I will need to save my encrypted data key along the data.
My question is, at some point I would like to rotate the CMK key that KMS is using to encrypt the data key, for that scenario, I would need to write a process to re-encrypt my data key with the new CMK that KMS will use?, do I need to change the encrypted data key with a new one?
CodePudding user response:
would need to write a process to re-encrypt my data key with the new CMK that KMS will use?, do I need to change the encrypted data key with a new one?
If you use automated rotation, you don't have to do anything in terms of data keys. They are not affected by rotation. From docs:
automatic key rotation has no effect on the data that the KMS key protects. It does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key.
But if you use manual rotation, you may have to re-encrypt everything. From docs:
If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available.