Can we rotate AWS CustomerManagedKeys (CMK) provided to Portworx?

When using AWS KMS as a secret provider a CMK or a CustomerManagedKey is passed as an input argument to Portworx (“AWS_CMK”). Portworx will use the provided CMK to generate DataKeys that will be used for:

  1. Encrypting/Decrypting Portworx secure volumes
  2. Securely store cloud credentials used for cloudsnaps.

At any point of time you can rotate the CMK using AWS console or AWS CLI. More info about AWS Key rotation here. There are two approaches in which you can rotate AWS CMKs:

  • Manual CMK rotation
  • Automatic CMK rotation

For Manual CMK rotation, you will need to update the Portworx input argument (AWS_CMK) with the new CMK ID/ARN. As mentioned in the AWS docs, it is necessary that you retain and not disable the old CMKs since AWS requires them to fetch the DataKeys which were created using that CMK.

For Automatic CMK rotation, AWS will retain the old CMK ID/ARN and you won’t need to update the Portworx input argument.