Created 05-24-2021 02:48 PM
After rolling a key, another version is created, in effect a new key, but same name. After re-encrypting the DEK for the encryption zone, what becomes of the old key version? Does the number just grow and sit there? There does not appear to be a delete except for the key itself.
Created 05-26-2021 11:33 AM
Hello,
The key version is stored in the metadata so that the client knows which version of the key to request from the KMS. By incrementing the key version, the old (and incorrect) key is not retrieved when decrypting a file encrypted with the new key. By incrementing the key and not reusing key numbers there is less risk of race conditions and makes it clear to the administrator that the key in use has been incremented.
Hope that helps,
Michael
Created 05-26-2021 01:51 PM
Created 05-26-2021 01:58 PM
I misunderstood the original question. I understand what you are asking, now. I do not know if there is a way to clear out the old keys. They don't use much storage space so I've never heard of anyone having an issue with that.
Michael