HDFSDataatRestEncryption.pdf says the following about key rotation..(please see appended below at the end of the mail) If the existing files do not have their EDEKs reencrypted using the new ezkeyid, how would the existing files be decrypted? That is where is the mapping between files and its EZKey (for after key rotation different files have different EZKeys)ids stored and how is it retrieved? Thanks Sitaraman
Key Rotation When the administrator causes a key rotation of the EZkey in the KMS, the encryption zone’s EZkey (stored in the encryption zone directory’s raw.hdfs.crypto.encryption.zone extended attribute) gets the new keyid and version (only the version changes). Any new files created in the encryption zone have their DEKs encrypted using the new key version. Existing files do not have their EDEKs reencrypted using the new ezkeyid/ version, but this will be considered as a future enhancement. Note that a key rotation only needs to causes a reencryption of the DEK, not a reencryption of the underlying file.
