@@ -266,10 +266,111 @@ As a result, the ``salary`` fields in the two example documents are
266266uniquely encrypted using {+dek-long+}s specific to the individual
267267document. The keys are assigned dynamically at runtime.
268268
269+ .. _csfle_fundamentals_rotate_keys:
270+
271+ Rotate Encryption Keys
272+ ----------------------
273+
274+ Key rotation is the process of retiring an existing encryption key and replacing
275+ it with a new one. Regularly rotating encryption keys is considered a best practice.
276+
277+ Rotate a {+cmk-long+}
278+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
279+
280+ To rotate a {+cmk-long+} (CMK), you must perform the following actions:
281+
282+ #. Decrypt all data using the {+dek-long+}s encrypted with your
283+ previous CMK.
284+ To learn more about decrypting your data, see :ref:`csfle-fundamentals-manual-encryption-manual-decryption`.
285+ #. Create a new CMK.
286+ #. Create new {+dek-long+}s using the new CMK.
287+ #. Encrypt your data with the new {+dek-long+}s that were created with your
288+ new CMK.
289+
290+ .. warning:: Don't Delete Keys Until the Rotation is Complete
291+
292+ Ensure you keep both your previous and new CMKs and
293+ {+dek-long+}s until the rotation is complete. If you delete your
294+ previous CMK before the rotation is complete, you will lose
295+ all data with {+dek-long+}s that are still encrypted with your previous CMK.
296+ If you delete a previous {+dek-long+} before your rotation is complete,
297+ you risk losing data still encrypted with that {+dek-long+}.
298+
299+ .. warning:: Switching from locally-managed master key to a remote KMS
300+
301+ Before you switch from a locally-managed master key to a remote KMS,
302+ you must decrypt all documents containing field-encrypted data.
303+ Your existing data encryption keys can only be decrypted with the original
304+ locally-managed master key and not the CMK that the KMS generates.
305+
306+ Failure to decrypt all data at this stage may cause permanent and
307+ unrecoverable data loss.
308+
309+ ``mongosh`` provides a helper method to rotate your CMKs. To learn more, see
310+ :ref:`csfle-rotate-keys-mongo-shell`.
311+
312+ Rotate a {+dek-long+}
313+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
314+
315+ To rotate a {+dek-long+} (DEK), you must perform the following actions:
316+
317+ #. Decrypt all data encrypted with that DEK.
318+ To learn more about decrypting your data, see :ref:`csfle-fundamentals-manual-encryption-manual-decryption`.
319+ #. Create a new DEK.
320+ #. Encrypt your decrypted data with the new DEK.
321+
322+ .. warning:: Don't Delete Keys Until the Rotation is Complete
323+
324+ Ensure you keep both your previous and new DEK until the rotation
325+ is complete. If you delete your previous DEK before the rotation
326+ is complete, you will lose all data still encrypted with that DEK.
327+
328+ ``mongosh`` provides a helper method to rotate your DEKs. To learn more, see
329+ :ref:`csfle-rotate-keys-mongo-shell`.
330+
331+ .. _csfle-rotate-keys-mongo-shell:
332+
333+ Procedure: Rotate Encryption Keys Using Mongo Shell
334+ ---------------------------------------------------
335+
336+ With version 1.5 and later of the Mongo Shell, you can rotate encryption keys
337+ using the ``rewrapManyDataKey`` method. The ``rewrapManyDataKey`` method
338+ automatically decrypts multiple data keys and re-encrypts them using a specified
339+ {+cmk-long+} (CMK). It then updates the rotated keys in the key vault collection.
340+ This method allows you to rotate encryption keys based on two optional arguments:
341+
342+ - A filter used to specify which keys to rotate. If no data key matches
343+ the given filter, no keys will be rotated. Omit the filter to rotate all keys
344+ in your key vault collection.
345+
346+ - An object that represents a new CMK. Omit this object to rotate
347+ the data keys using their current CMKs.
348+
349+ The ``rewrapManyDataKey`` uses the following syntax:
350+
351+ .. code-block:: json
352+
353+ keyVault = db.getKeyVault()
354+
355+ keyVault.rewrapManyDataKey(
356+ {
357+ "<Your custom filter>"
358+ },
359+ {
360+ provider: "<KMS provider>",
361+ masterKey: {
362+ "<dataKeyOpts Key>" : "<dataKeyOpts Value>"
363+ }
364+ }
365+ )
366+
367+ To learn more about the ``dataKeyOpts`` object for your KMS provider, see
368+ :ref:`csfle-reference-kms-providers-supported-kms`.
369+
269370.. _field-level-encryption-data-key-delete:
270371
271372Delete a {+dek-long+}
272- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
373+ ----------------------------
273374
274375You can delete a {+dek-abbr+} from your {+key-vault-long+} using standard CRUD
275376:ref:`delete operations <write-op-delete>`.
0 commit comments