1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Not sure I understand the scenario completely, but data keys are usually long lasting, and do not need to be rotated unless there's a data breach and you need to manually re-encrypt data.
Key rotation means that the data key is decrypted using the old KMS key and then re-encrypted with a new KS key. Data keys should be stored in a persistent store, even if they are not stored with the encrypted data itself.
répondu il y a un an
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 8 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
Thank you for answering. By national law, it must be rotated every two years and then destroyed. We are also considering a storage like vault because we can't even store it in our own db for the same reason. That's why I don't want to create a lot of data keys, so I try to use generatedDatakey once every two years.
So, without these constraints, what best practice would be to know when to use generateDataKey? it sounds like you could use generateDataKey virtually infinitely.