Will Master Key in KMS gets rotated ? What happens when Master Key gets rotated ?


We are planning to encrypt the data in service using data key. AWS Encryption Library take master key ARN as input parameter to do encryption. My understanding is that the data key will be created from KMS service and plain key will be returned as well as encrypted data key using the Master key. The encrypted data key will be added to the encrypted data.

During the decryption, the data encrypted data key will be decrypted using KMS + Master Key.

Now question is -

  1. If some one get access to master key ARN, they can use it to get the plain information right. In that case, how does the KMS ensure the protection ?

  2. I remember the KMS will rotate the master key (I hope I am correct here). If the key gets rotated, what will happen to all data keys which are encrypted using old master key ?

1 Answer

First part: plain information

The private information never comes out of the KMS service. It is described in the FAQ here

KMS FAQs look for "Q: Can symmetric KMS keys be exported out of the service in plain text?"

Second part: rotation

KMS key rotation is optional but recommended.

Rotating a KMS key does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key. (Actual mitigation would involve re-encrypting the data with newly acquired data keys).

When you use a rotated KMS key to encrypt data, AWS KMS uses the current key material. When you use the rotated KMS key to decrypt ciphertext, AWS KMS uses the version of the key material that was used to encrypt it. You cannot request a particular version of the key material. Because AWS KMS transparently decrypts with the appropriate key material, you can safely use a rotated KMS key in applications and AWS services without code changes.


profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions