Comments - Data-at-Rest Encryption Overview
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
If I understand correctly, the plugin will start rotate keys process and use newly specified master key to create new local key to encrypt. However, since it's pointing to different master key, how does it decrypt previous local key so that tables can be decrypted prior to rotation. If they don't need to be decrypted, how are they decrypted in during database operation since previous local key can not be decrypted with previous master key id.
Does the aws-kms-key contain master key id?
Does the aws-kms-key contain master key id?
We don't record it ourselves, the contents of the file is just cipherblob from GenerateDataKey() response. But AWS knows which keys was used. The question "how does it know" interesting, I'll check the KMS documentation.
Ok, found a (slightly cryptic) explanation here, on slide 18, under 4.
http://www.slideshare.net/AmazonWebServices/encryption-and-key-management-in-aws
The cipherblob we get with GenerateDataKey and store on disk, actually contains encrypted master key id + datakey.
AWS KMS does not need or accept master key id for Decrypt, it only needs it for GenerateDataKey/Encrypt. http://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html
As you can see, Decrypt actually *returns* the master-key-id that was used for GenerateDataKey its response (how does it know it, I have no idea, never checked), in addition to Plaintext that we use.
Thus: - rotate does KMS-GenerateDataKey., It *needs* master key id. ditto CREATE/ALTER TABLE with new key ids, or - decrypt(at the startup time) does KMS-Decrypt(). It *does not need* master-key-id. It can decrypt multiple local keys, backed by different CMK, or by single CMK that was transparently rotated by AWS.
When a key is rotated in AWS KMS, it keeps the same key alias and earlier versions of the key are still available for decryption. Take a look at http://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html for more information. Local key rotation, done by MariaDB Server, causes the new version of the key to be written to a file in your datadir. Old versions of the key are kept as well, since they'll be needed to decrypt tables/pages/logs encrypted using earlier versions of the key. When you're certain that an older version of a key is no longer needed, you can delete the corresponding file from the datadir.