Hi, a quick query on KMS keys.
We are having two encryption zones EZ1 and EZ2. Both of them are created using the same key and material. We use DistCp to transfer data from EZ1 to EZ2. I am trying to understand what happens if the key is rolled-over on EZ1?
For new data written to EZ1 post key roll-over shouldn’t be a problem. However, what happens in the below cases?
Reading Hadoop TDE documentation answered my first question i.e. KMS maintains key version history and hence shouldnt be a problem when the client decrypts content. It would have the appropriate key version and hence KMS would decrypt using the same.
Looking answers for questions 2 and 3 still.
@Vijaya Narayana Reddy Bhoomi Reddy The data itself is encrypted using the DEK, which is static. When the EZK is rolled, all EDEKs (which are stored in NN metadata) are re-encrypted
1. Therefore, yes, in EZ1 the client application will be able to decrypt the content of old data without any issues. They will have be able to decrypt the new EDEK with the new EZK and therefore get the plaintext DEK to decrypt the file
2. Regarding EZ2, if the same keyname was used for EZ2, then it will be the same as EZ1. The EDEKs associated with files in EZ2 will be re-encrypted as well
3. It is best to periodically roll keys to protect against certain attack vectors, like users collecting keys of files they have access to to later decrypt data (perhaps after being removed from a KMS ACL)