I am using out of the box client side field level encryption feature of the Mongo Drivers in Java. We are able to get the field encrypted.
I am using the “Local” KMS provider for our implementation, where we have our own logic to create the master key and fetch it from our APIs to populate in the AutoEncryptionSettings.
But now we want to perform key rotations for security purposes.
For this I was exploring the ClientEncryption’s rewrapManyDataKey method →
[ClientEncryption (driver-sync 4.7.0 API) (mongodb.github.io)] ClientEncryption (driver-sync 4.7.0 API) (mongodb.github.io)
What we want to do here is to supply the new master key in the above method and let the data keys in the keyVault get re-encrypted with the newly supplied master key.
The official docs says that in case of “Local” KMS provider, the master key is not applicable for the rewrapManyDataKeyOptions parameter.
Does it mean that the rewrapping of the data keys with the new master key is not possible for the “Local” kms provider?
Is there a solution for enabling key rotation for the “Local” kmsProvider.