6.4.4.9 Plugin-Specific Keyring Key-Management Functions

keyring_aws_rotate_cmk()

This UDF is associated with the keyring_aws plugin. Its use requires the SUPER privilege.

keyring_aws_rotate_cmk() rotates the customer master key (CMK). Rotation changes only the key that AWS KMS uses for subsequent data key-encryption operations. AWS KMS maintains previous CMK versions, so keys generated using previous CMKs remain decryptable after rotation.

Rotation changes the CMK value used inside AWS KMS but does not change the ID used to refer to it, so there is no need to change the keyring_aws_cmk_id system variable after calling keyring_aws_rotate_cmk().

Arguments:

None.

Return value:

Returns 1 for success, or NULL and an error for failure.

keyring_aws_rotate_keys()

This UDF is associated with the keyring_aws plugin. Its use requires the SUPER privilege.

keyring_aws_rotate_keys() rotates keys stored in the keyring_aws storage file named by the keyring_aws_data_file system variable. Rotation sends each key stored in the file to AWS KMS for re-encryption using the value of the keyring_aws_cmk_id system variable as the CMK value, and stores the new encrypted keys in the file.

keyring_aws_rotate_keys() is useful for key re-encryption under these circumstances:

Arguments:

None.

Return value:

Returns 1 for success, or NULL and an error for failure.