Comments - Data-at-Rest Encryption Overview
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
AWS KMS does not need or accept master key id for Decrypt, it only needs it for GenerateDataKey/Encrypt. http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html
As you can see, Decrypt actually *returns* the master-key-id that was used for GenerateDataKey its response (how does it know it, I have no idea, never checked), in addition to Plaintext that we use.
Thus: - rotate does KMS-GenerateDataKey., It *needs* master key id. ditto CREATE/ALTER TABLE with new key ids, or - decrypt(at the startup time) does KMS-Decrypt(). It *does not need* master-key-id. It can decrypt multiple local keys, backed by different CMK, or by single CMK that was transparently rotated by AWS.