Comments - Data-at-Rest Encryption Overview
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
This is the question about AWS Key Management plugin, I assume?
If AWS rotates its master key, it does not remove the old one. That means it is still able to decrypt old keys stored in the datadir.
Same is true about local keys. Rotation does not remove the old keys, they are kept in the datadir. They can be deleted when they are not used. But we don't do this. Keys are not used, after Innodb keys rotation completes, and, in case you encrypt binlogs, after binlogs using that key are removed.
There is no automatic way to restore data on servers not connected to AWS.
If you want to do this, you need to do what server does, namely decrypt keys to get plaintext, and for that
a) decrypt the aws-kms.x.y files inside the datadir yourself. You can do it with AWS KMS API called Decrypt, or even using aws-cli for example. You need the plaintext keys for every file
b) write your own aws_key_management plugin that would work with plaintext instead of sending files to AWS
Maybe, you can reuse file_key_management given plaintext keys, if you're not using rotation, but I have not checked that myself.