Skip to content

Cynthia

My feedback

1 result found

  1. 11 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    Cynthia commented  · 

    Hello Geoffrey,

    You should be able to use the native key rotation functionality in Azure if you set the key version when you specify the CMK in your setup. If you specify a versionless key identifier you will encounter problems with key rotation.

    Azure KeyVault doesn't work like AWS KMS or GCP Cloud KMS, where the KMS can identify which version of a key was used for encryption and use the same version for decryption. Instead Azure Key Vault will always use the latest key version for either encryption or decryption if a versionless key identifier is used.

    Please not that if you do want to re-encrypt all of the existing DEKs with the new CMK, you will need to do a key rotation, the procedure is described in our docs here - https://www.mongodb.com/docs/manual/core/queryable-encryption/fundamentals/manage-keys/

    Thank you,

    Cynthia

Feedback and Knowledge Base