We are having two encryption zones EZ1 and EZ2.
Both of them are created using the same key and material. We use DistCp to
transfer data from EZ1 to EZ2. I am trying to understand what happens if the
key is rolled-over on EZ1?
For new data written to EZ1 post key roll-over
shouldn’t be a problem. However, what happens in the below cases?
What happens to the old data in EZ1 which was
encrypted with the old key material and version? Will the client application be
able to decrypt the content without any issues?
What happens to the data in EZ2? Should the
same key-material need to be used to roll-over the key for EZ2 as well?
Are there any established best practices around key management?
Reading Hadoop TDE documentation answered my first question i.e. KMS maintains key version history and hence shouldnt be a problem when the client decrypts content. It would have the appropriate key version and hence KMS would decrypt using the same.
@Vijaya Narayana Reddy Bhoomi Reddy The data itself is encrypted using the DEK, which is static. When the EZK is rolled, all EDEKs (which are stored in NN metadata) are re-encrypted
1. Therefore, yes, in EZ1 the client application will be able to decrypt the content of old data without any issues. They will have be able to decrypt the new EDEK with the new EZK and therefore get the plaintext DEK to decrypt the file
2. Regarding EZ2, if the same keyname was used for EZ2, then it will be the same as EZ1. The EDEKs associated with files in EZ2 will be re-encrypted as well
3. It is best to periodically roll keys to protect against certain attack vectors, like users collecting keys of files they have access to to later decrypt data (perhaps after being removed from a KMS ACL)