0

I have set the key rotation duration to 1 day in my google service account and I want to decrypt the older ciphertext with the latest generated key. But how can I get the latest key details? Please help here.

Tim Dierks
  • 2,168
  • 15
  • 28
Ashish Sahu
  • 23
  • 1

1 Answers1

0

If you have a ciphertext encrypted with KMS and pass it to the Decrypt API for the appropriate key, the correct key version is embedded inside the ciphertext data structure, so KMS will automatically use the appropriate key material for decryption, if that key version is still available. You don't need to keep track of the version for decryption to work.

Tim Dierks
  • 2,168
  • 15
  • 28
  • so the older cyphertext will get decrypted by the older keys only and the new data will be encrypted with latest key. am i right? – Ashish Sahu Apr 12 '21 at 05:10
  • Yes, new encrypt calls use the "active" key version, decrypt calls use whichever the correct key version is, if it's available. – Tim Dierks Apr 12 '21 at 17:21