This Topic is a continuation of previous topic that i created. I browsed through the materials that was recommended in the previous topic and those were very helpful and i have few questions on the same.
Here is my understanding
The keys that will be used to encrypt/decrypt the fields in collection will be stored in Mongodb keystore (collection). These keys will be encrypted/decrypted using CMK and CMK can be maintained/stored in any of the external KMS service for example (AWS-KMS).
Here are my questions
Lets assume that
- The CMK that is stored in AWS-KMS is rotated after 6months(but the keys present in mongodb keystore are not rotated) then this means there will be a newCMK key. But the keys present in mongodb keystore is encrypted using the oldCMK key.
- In this case, will there be any issue if this newCMK key is used to decrypt the keys from mongodb keystore as the keys present in mongodb keystore were encrypted using the oldCMK key?
Lets assume that
- The keys present in mongodb keystore are rotated
- After rotation of keys in mongodb keystore, the CMK fetched from AWS-KMS is used to encrypt the rotatedKeys and these newKeys are stored into mongodb keystore.
- In this case, will the mongodb driver still be able to decrypt the fields that were encrypted by oldKeys?
As i don’t have clarity on crypto related topics, i would like to have some clarity on below question as well
"if a particular data is encrypted using a key and if this key is rotated (this will give rise to newKey), then will this newKey would still be able to decrypt the data which was encrypted using the oldKey?
I feel like all the above questions are similar, but i’m not sure about it. I’m looking forward for the response.