Let me explain my current situation
- We will implement envelope encryption utilizing aws kms.
- Save the data to the db in the format of "encrypted data key + encrypted text".
- The validity period of the data key is 2 years, and data must be re-encrypted with a new data key immediately before expiration.
- The generated encrypted datakey cannot be stored alone in db but able above form.
- I want to store the generated data key in the cache and retrieve it.
Question: Is there any way to know the datakey used just before when the server restarts without saving it to the db? There doesn't seem to be an API for querying data keys. Generating a new key every time the server restarts complicates the logic when re-encrypting the data key later (I'm not sure).
However, I don't want to use other aws services (e.g. S3). If I need to use it, I want to save it to the vault I was using. However, I don't want to use this method as it seems to create dependencies on other services.
However, retrieving the "encrypted data key + encrypted text" value from the db to retrieve the plaintext key for kms with the encrypted data key seems too legacy.
However, if the datakey is created every time the server is restarted, I don't think there is a need to process it first... How about doing it this way...
-> This method seems to create difficult rencrpytion logic, but I'm willing to do it if this is best practice.
What are the best practices..?
Thank you for answering. By national law, it must be rotated every two years and then destroyed. We are also considering a storage like vault because we can't even store it in our own db for the same reason. That's why I don't want to create a lot of data keys, so I try to use generatedDatakey once every two years.
So, without these constraints, what best practice would be to know when to use generateDataKey? it sounds like you could use generateDataKey virtually infinitely.