Menu
I am following GCP's instructions for Storing Secrets in Storage Bucket. KMS is used for file encryption before it's being uploaded to Storage Bucket.
Since data encryption happens outside of Google's storage I am a bit confused with one aspect of key rotation.
Let's consider a specific scenario:
A (which is in fact A_ver1 because the keys are versioned). Also, the key rotation policy is set up to trigger rotation yearly.some_file.txt with A_ver1:
curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/my-project/<...>" \
-d "{\"plaintext\":\"<...SOME_FILE_CONTENT...>\"}" \
-H "Authorization:Bearer $(gcloud auth application-default print-access-token)" \
-H "Content-Type:application/json".some_file.txt.encrypted.A_ver1 gets disabledA_ver2 is generated and activated. some_file.txt.encrypted. I am downloading the file, then trying to run a command to unencrypt the file using the A_ver2...Question 1: What is going to happen when I try to unencrypt the file with A_ver2 if it was encrypted with the earlier version A_ver1?
Question 2: If the unencryption fails, what am I supposed to do in the first place to prevent it?
887
Old versions are not automatically disabled on rotation.
Question 1: When you decrypt with a particular CryptoKey, the server chooses the correct version (mentioned in the Decrypt document). As long as a version is not disabled, it is still usable.
Question 2: In your particular scenario, decryption won't fail due to using the old version.
Key rotation mentioned the behavior you expect, and as it notes implementing a strategy that re-encrypts data with new versions and disables the old ones can be tricky.
Please let me know if you have any other questions.
92
answered Oct 25 '25 13:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
