- Newest
- Most votes
- Most comments
Hi,
From the question I understand that you would like to know if you will be able to decrypt data after the key that was used to encrypt it rotates.
When key rotation occurs, new key material is created and the previous key material is saved so you can decrypt any data that was encrypted with that key. I am attaching the following documentation that goes over this here (1). Key information would be stored in the ciphertextblob which would be how KMS knows the key to use for decryption, I am attaching the following documentation that goes over this here (2). Therefore you would not need to make any changes when the key rotation occurs and all information will still be accessible due to the persistence of the saved key information.
I hope you have a great rest of your day!
References (1) https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
(2) https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html#decryption
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
Hi,
Thanks for the response.
I assume that KMS service will not only know the key id but also the version of material that it needs to use to decrypt from the CipherTextBlob. Please confirm. We use KSM CSE and I assume it works the for CSE too.
Also, does S3 encryption client store the key used to encrypt the object as metadata or I need to keep track of it my self? In some cases I see "kms_cmk_id":"alias/key-alias" on the object metadata and in some cases I don't see it. I think I see it only when the object created with 'legacy encryption modes'. How I know the key used to encrypt an object in S3?
Thanks, Sreeni Gunda