Rotating local master key using RewrapManyDataKey

Kevin_Rathgeber · September 1, 2023, 8:56pm

I’m just testing out the key rotation in a proof of concept so I’m using the local key provider. I create my NewClientEncryption using the existing master key and then I’m trying to rotate to a new one using RewrapManyDataKey. I’m a little confused on what the RewrapManyDataKey options are expecting.

I tried giving it the new master key like this:

	rwo := options.RewrapManyDataKey().
		SetProvider("local").
		SetMasterKey(bson.M{"masterKey": "<new key>"})

but then I get an error saying error="mongocrypt error 1: Unexpected field: 'masterKey'".

What is the SetMasterKey option expecting? I tried it with just the string and it errored because that’s not a valid bson document.

Is local key rotation supported? The docs seem to only mention it for Azure, GCP, and AWS.

Paul_Henderson · April 21, 2025, 7:21pm

hey Kevin, did you ever get an answer to this?

Joel_Odom · April 30, 2025, 7:12pm

Thanks for re-opening this, Paul. Until https://jira.mongodb.org/browse/DRIVERS-2731 there was no way to use RewrapManyDataKey from a local provider to a local provider. If you look at the “DBX Fields” tab of that Jira you’ll see the drivers we have the new capability in, and you can see my personal sample of how to use it here. Take a look at that and see if it helps you get started.