How does CMK rotation work with CSFLE

We are considering using client-side field-level encryption and I have the following questions:

  • How does key rotation work?
  • Does key rotation require re-encrypting data on the client-side?
  • What happens in the CMK is rotated without re-encrypting data? Would this mean data loss?

Why there’s no answer to such an important security question anywhere?
It’s important to know how this work in order to be able to activate the rotation feature on the AWS KMS, without taking the risk of the losing the key that encrypts all the data, therefore, losing all the data…

1 Like

Bump on this. I’m also trying to find info on key rotations with CSFLE. I haven’t been able to find documentation about it.


I’d be happy to walk you through the process of key rotation when using a supported cloud KMS. First, it may be helpful to review how keys are used within CSFLE. CSFLE stores encrypted data keys in the MongoDB key vault, which is a collection in your database. Those key vault data keys are encrypted using the cloud KMS’s CMK, through a process called envelope encryption, before being stored in the key vault. The CSFLE documentation page describes the key hierarchy and instructions on how to use the different supported cloud KMS’s with CSFLE in the “Encryption Components” section.

When you rotate a CMK in your cloud KMS, any new CSFLE data keys created will be envelope encrypted using the newly rotated CMK while any existing data keys will remain envelope encrypted using the previous CMK. The cloud KMSs have logic built in that identifies which version of a CMK was used for encryption and will choose the correct CMK for decryption. There are no changes needed on the client side when using the cloud KMS CMK rotate functionality. Please note that this assumes that you have not deleted the previous CMK. Deleting the previous CMK will make your existing data unrecoverable. Please refer to your chosen cloud KMS documentation for instructions in how to rotate a CMK.



This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.