Hi All,
I’m working on CSFLE using java reactive streams, I got a requirement to rotate the encryption keys. Need some suggestions to rotate the master key and data key used on the encryption.
For now, I’m keeping the master key as a local key ( locally generated 96-byte key ) and the data key is placed on the key vault collection. So How I can rotate both keys ?
I’ve manually designed a logic to rotate keys, Please find the steps below
Rotate Encryption Datakeys
- We got a suggestion from the Information Security Team to rotate the encryption keys at certain time intervals eg:-(90 days, 180 days).
- For the above implementation, We have designed a scheduler that will trigger at the given interval.
- Once the Scheduler Job is triggered, We can collect all the encrypted details and decrypt them with the existing data key.
- After the decryption is done, the next step is to drop the Key Vault collection from our Database.
- Generate a new Data Key and insert it into the Key Vault Collection.
- Once a new key is inserted, We can re-encrypt the data with the new key and save it.
- Next time the decryption mechanism is called, It will look for the new Data Key which we used to re-encrypt the data.
I need a better approach to do this task and some referral examples.
Thanks !!