3

From the encryption at rest design document in Github, only the Universe Keys are rotated while the data keys remain unchanged for the lifetime of the data file.

However, the Yugabyte docs mention that "Old data will remain unencrypted, or encrypted, with an older key, until compaction churn triggers a re-encryption with the new key.".

  1. Does this mean that the data keys implicitly get rotated when doing compaction?

  2. And we can force this compaction (and data key rotation) by triggering a manual compaction via the yb-admin tool?

molavedev
  • 168
  • 1
  • 6

1 Answers1

1

Each data file contains a reference to the key id of the master side key used to encrypt its file-level data key, so technically even after a master key rotation we may have older sst files which reference the old key. So if you want no older data files to reference the old key after a rotation, you will have to do a manual compaction.

dh YB
  • 965
  • 3
  • 10
  • Thanks for your reply. Just a follow up: when doing compaction, a new file will be created and also new data keys will be used in this new file, right? That is, the old data keys will not be used anymore, somehow doing some kind of key rotation for the data keys as well. – molavedev Aug 03 '21 at 03:24
  • It will end up not using the old keys for any sstables since old sstables will be deleted after compaction. – dh YB Aug 04 '21 at 11:10
  • Thank you very much. This is the confirmation I needed. – molavedev Aug 16 '21 at 04:43