[GitHub] [iceberg] ggershinsky opened a new issue #2373: Rotation of encryption keys

[GitBox <gi...@apache.org>]

ggershinsky opened a new issue #2373:
URL: https://github.com/apache/iceberg/issues/2373


   The envelope encryption practice requires periodic (or on-demand) re-wrapping of DEKs (data encryption keys) with new versions of master keys. KMS (key management service) generates the new master keys and keeps their history. The re-wrapped DEKs need to be updated in Iceberg metadata. In a case of double envelope encryption, the KEKs (key encryption keys) are either re-wrapped with new master keys - or re-generated, wrapped with new master keys, and used to re-wrap the DEKs.
   This mechanism will add a DDL clause to perform key rotation in Iceberg tables.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org

[GitHub] [iceberg] yeshvant-bhavnasi commented on issue #2373: Rotation of encryption keys

[GitBox <gi...@apache.org>]

yeshvant-bhavnasi commented on issue #2373:
URL: https://github.com/apache/iceberg/issues/2373#issuecomment-816263279


   We can use the `RewriteManifest` api on spark which will use the rotated kms master key.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org