数据加密密钥轮换过程——旧密钥与新密钥

Question

Iam using .NET 6.0 and need to encrypt some configuration strings that are stored in the database.

Due to security compliance, I also need to rotate the encryption key (for every 60 days) as well. I can rotate the key using Keys - Rotation policy in Azure Key Vault.

But if the key is rotated (new key is generated) what about the existing encrypted data (using the old key) in the database?

Re-encrypting the whole data using the new key is not feasible options in my case.

Any solutions to handle this case?

UPDATE

I found this article on Envelope Encryption

Answer 1

I have seen an approach somewhere that is getting a key pair as the key which needs to be rotated.

Then a symmetric key is generated for encrypting the data itself. This second key is stored next to the data, encrypted by the original key. When you need to rotate the key, you can simply:

1. Decrypt the symmetric key
2. Rotate the key pair
3. Encrypt the symmetric key with the new key
4. Overwrite the encrypted symmetric key with the new one

Since the symmetric key is not rotated, the whole database can remain as is, just one record is changed.

Answer 2

Envelope Encryption will not meet Audit requirements. This is Shallow encryption. If a hacker has access to Data Encryption Key, DEK which is not rotated, does not matter if Master key (KEK) is rotated, they can get to all rows in database.

The true solution is to have a background process and re-encrypt all data with newly generated DEK and encrypt DEK with rotated KEK