Mongo CSFLE | Data Key rotation with local KMS provider | Encryption

I am using out of the box client side field level encryption feature of the Mongo Drivers in Java. We are able to get the field encrypted.
I am using the “Local” KMS provider for our implementation, where we have our own logic to create the master key and fetch it from our APIs to populate in the AutoEncryptionSettings.

But now we want to perform key rotations for security purposes.

For this I was exploring the ClientEncryption’s rewrapManyDataKey method →
[ClientEncryption (driver-sync 4.7.0 API) (] ClientEncryption (driver-sync 4.7.0 API) (

What we want to do here is to supply the new master key in the above method and let the data keys in the keyVault get re-encrypted with the newly supplied master key.

The official docs says that in case of “Local” KMS provider, the master key is not applicable for the rewrapManyDataKeyOptions parameter.
Does it mean that the rewrapping of the data keys with the new master key is not possible for the “Local” kms provider?
Is there a solution for enabling key rotation for the “Local” kmsProvider.

1 Like

Hello Ishant and welcome to the MongoDB Community,

Rewrapping of local keys is in the roadmap and should be available in the coming months.

Thank you,



Is it available? Or when is the expected launch date for the functionality? Our team is facing a similar situation and we’re hoping for a resolution.

Hi @XH_ZY, it is available in some drivers, and being planned for others. I suggest watching for updates. Currently it is released in C driver 1.26.0, and in the upcoming release of pymongo 4.7.0.