Comments - Data-at-Rest Encryption Overview
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
Does the aws-kms-key contain master key id?
We don't record it ourselves, the contents of the file is just cipherblob from GenerateDataKey() response. But AWS knows which keys was used. The question "how does it know" interesting, I'll check the KMS documentation.
Ok, found a (slightly cryptic) explanation here, on slide 18, under 4.
http://www.slideshare.net/AmazonWebServices/encryption-and-key-management-in-aws
The cipherblob we get with GenerateDataKey and store on disk, actually contains encrypted master key id + datakey.