Hello.
I’m trying to work with key rotation with Atlas and Azure KMS. I’m able to successfully create a data key, encrypt and decrypt data but can’t establish a workable process for key rotation (Azure)
I have a DEK that contains a CMK as follows that references keyversion d45..
.
In Azure KMS, I have a newly rotated key with version 794..
Does anyone know how I can ‘rotate’ and so be able to decrypt data in mongo that has been encrypted with key version d45
by using the newly rotated key version of 794..
and so disabling d45...
key version in Azure.
Things I’ve tried
I had understood rewrap_many_data_key() would update the master key document to reference the new version, but this is not the case. The key version remains at d45
Would anyone be able to advise on how I am able to continue to have data decryptable, that has been encrypted with the master key with version d45..
yet encrypt future fields with version 794
Surely this isn’t a case of manually reencrypting in an offline process?
{
"_id": ...
"keyAltNames": ...
"keyMaterial": {...}
},
"creationDate": {
"$date": {
"$numberLong": "1676613292399"
}
},
"updateDate": {
"$date": {
"$numberLong": "1676982904374"
}
},
"status": 0,
"masterKey": {
"provider": "azure",
"keyVaultEndpoint": "<redacted>",
"keyName": "<redacted>",
"keyVersion": "d4556112323948f2921498bdce51ebc2"
}
}