How to rotate Master Key and Data Key for CSLFE in Java Reactive Streams

Hi All,

I’m working on CSFLE using java reactive streams, I got a requirement to rotate the encryption keys. Need some suggestions to rotate the master key and data key used on the encryption.

For now, I’m keeping the master key as a local key ( locally generated 96-byte key ) and the data key is placed on the key vault collection. So How I can rotate both keys ?

I’ve manually designed a logic to rotate keys, Please find the steps below

Rotate Encryption Datakeys

  • We got a suggestion from the Information Security Team to rotate the encryption keys at certain time intervals eg:-(90 days, 180 days).
  • For the above implementation, We have designed a scheduler that will trigger at the given interval.
  • Once the Scheduler Job is triggered, We can collect all the encrypted details and decrypt them with the existing data key.
  • After the decryption is done, the next step is to drop the Key Vault collection from our Database.
  • Generate a new Data Key and insert it into the Key Vault Collection.
  • Once a new key is inserted, We can re-encrypt the data with the new key and save it.
  • Next time the decryption mechanism is called, It will look for the new Data Key which we used to re-encrypt the data.

I need a better approach to do this task and some referral examples.

Thanks !!