VIP Auth Hub - KMS usage for encryption and decryption of password
search cancel

VIP Auth Hub - KMS usage for encryption and decryption of password

book

Article ID: 258531

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Questions in the AWS  KMS usage for encryption and decryption of password

Q1. AWS KMS Key Rotation along with Encrypt/Decrypt of data (specifically in case of Password History) ?

Q2. If CMK in KMS is corrupted/deleted and a new CMK is created in KMS due to any reason, will decryption be successful for existing encrypted data?

Environment

Release : Any 

Resolution

*** Q1. AWS KMS Key Rotation along with Encrypt/Decrypt of data (specifically in case of Password History) ?

Answer -->  As long as the same CMK is rotated, older data can be decrypted as KMS preserves all previous key's material and hence there won't be any issue.


Reference -
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

***  Q2. If CMK in KMS is corrupted/deleted and a new CMK is created in KMS due to any reason, will decryption be successful for existing encrypted data?

Answer -->   As of now AH will throw exception as decryption will not be successful at KMS and hence Pwd Update will fail for user