Changing the encryption key of a secret in AWS Secrets manager

0

When i am trying to change the encryption key of secret in AWS console. It is showing me a checkbox which says click the checkbox to create a new version of secret it is saying. If I uncheck the checkbox it will just change the encryption key but not the existing secret value is my understanding correct?

Sandeep
asked 4 months ago212 views
2 Answers
0

Hello,

A new version of the secret will be created and encrypted with the new key. Only the new key can decrypt this new version when a check box is ticked.

when checkbox is unticked, The existing version will be re-encrypted with the new key, but can still be decrypted with both the old and new keys.

Reference:

Change the encryption key for an AWS Secrets Manager secret

profile picture
EXPERT
answered 4 months ago
profile pictureAWS
EXPERT
reviewed 4 months ago
  • Note that there isn't just one "existing version" that is affected. It's the versions with the labels AWSCURRENT, AWSPENDING, and AWSPREVIOUS that are affected. The difference is between whether a new AWSCURRENT is created exclusively accessible with the new key, or the existing AWSCURRENT is kept and encrypted both with the old key and the new key.

0

If you're wanting the current content of the secret value to be retained, that will happen regardless of that checkbox. The current secret value will be stored encrypted with the new KMS key.

It appears there's the distinction that if you check the box, a new version will be created and labelled as AWSCURRENT, while with the checkbox unchecked, a new version will not be created but only the AWSCURRENT, AWSPENDING, and AWSPREVIOUS versions will be re-encrypted with the new key.

EXPERT
Leo K
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions