CSFLE key rotation: how to update the CMK in the DEK that references an updated version


I’m trying to work with key rotation with Atlas and Azure KMS. I’m able to successfully create a data key, encrypt and decrypt data but can’t establish a workable process for key rotation (Azure)

I have a DEK that contains a CMK as follows that references keyversion d45...

In Azure KMS, I have a newly rotated key with version 794..

Does anyone know how I can ‘rotate’ and so be able to decrypt data in mongo that has been encrypted with key version d45 by using the newly rotated key version of 794.. and so disabling d45... key version in Azure.

Things I’ve tried

I had understood rewrap_many_data_key() would update the master key document to reference the new version, but this is not the case. The key version remains at d45

Would anyone be able to advise on how I am able to continue to have data decryptable, that has been encrypted with the master key with version d45.. yet encrypt future fields with version 794

Surely this isn’t a case of manually reencrypting in an offline process?

  "_id": ...
  "keyAltNames": ...
  "keyMaterial": {...}
  "creationDate": {
    "$date": {
      "$numberLong": "1676613292399"
  "updateDate": {
    "$date": {
      "$numberLong": "1676982904374"
  "status": 0,
  "masterKey": {
    "provider": "azure",
    "keyVaultEndpoint": "<redacted>",
    "keyName": "<redacted>",
    "keyVersion": "d4556112323948f2921498bdce51ebc2"

Hi! Thanks for raising this issue. First, could you please provide all of the information specified in our README, and furthermore, it would be super helpful if you could provide a code snippet that shows what you are attempting to do right now. From my understanding of what rewrap_many_data_key does, all you need to do is update the data key, not re-encrypt the old data with that new data key. So, all you have to do to rotate keys is:

key_vault.rewrap_many_data_key({}, {
  provider: 'azure',
  master_key: {
    # put the rest of your master_key options here
    "key": "<your new key>"

The first argument is the filter–so if you only want to update some of the data keys, use that. More info can be found here: https://www.mongodb.com/docs/rapid/reference/method/KeyVault.rewrapManyDataKey/

Thanks - I figured it out.
The key i was passing, was the existing key.
In my call to rewrap_many_data_key I needed to:

  • include the name of the kms provider
  • amend the keyVersion
// new key version
data_key['masterKey']['keyVersion'] = '794d3e3b66d64e59834d16dde86c72a2'
                filter={"keyAltNames": self.key_alt_name},
                provider=self.kms_provider_name, // azure

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.