Hello and thank you, and thank you for your response.
Okay, this is the documentation I read: https://www.mongodb.com/docs/manual/core/csfle/reference/decryption/#automatic-decryption-process
Maybe I misunderstood it but my interpretation of step #2 - “if the Key Vault collection does not contain the specified key, automatic decryption fails and the driver returns the encrypted BinData blob” - is that it tries to fetch the DEK and if it fails it falls back to just returning the encrypted data.
We just need to know what is supposed to happen so we can plan and implement it accordingly!
Also - should we be fine just rotating our Certificate for our CMK, or should we roll the CMK or DEK:s at some interval aswell? I had trouble finding any “best practice” information, a lot of it is up to interpretation and I am having a hard time deciding for myself if we should rotate our certificate or all of our DEK:s aswell
Many thanks!
Emil