Key rotation process for a compromised KMIP-managed encryption key in ScyllaDB

Varun_Arora · April 27, 2025, 4:18am

We have set up a remote KMIP server and encrypted several tables, creating a new key for each table on the KMIP server. We would like to understand the process in case of a potential compromise. According to the documentation (Encryption at Rest | ScyllaDB Docs), we can use the ALTER command on a table to generate a new key on the KMIP server, while keeping the old key intact on the KMIP server.

However, based on the key alias/UUID (available to us on the KMIP server), how can we determine which table is associated with a specific key UUID? Is there an internal table in Scylla that links tables to their respective key UUIDs? Or, if there is a better approach to key rotation, we would appreciate any guidance on that.

elcallio · July 17, 2025, 9:21am

To rotate a key using KMIP:
First Modify your KMIP config so that queries for a key based on properties (such as length, cryptographic usage etc) does no longer return the key to be retired.
Then either:

Wait for natural sstable rewrites (compaction) to rewrite all data using new key(s) (can take days)
Or:
Wait 20m for caches to expire
Run nodetool upgradesstables -all on all relevant nodes to force rewriting sstables.

Topic		Replies	Views
[RELEASE] ScyllaDB Enterprise 2023.1.1 Release Notes enterprise , enterprise-release , enterprise-2023-1	1	415	September 27, 2023
Last week in scylla-cluster-tests.git master (issue #22; 2023-09-01) ScyllaDB git-testing-news	0	193	September 1, 2023
Last week in scylladb.git master (issue #159; 2022-12-18) ScyllaDB git-news	0	301	December 18, 2022
Running Repair after changing the Replication Factor ScyllaDB	1	169	November 14, 2022
Migrating from DynamoDB to ScyllaDB ScyllaDB alternator , migration , amazon-dynamodb	1	241	December 13, 2022

Key rotation process for a compromised KMIP-managed encryption key in ScyllaDB

Related topics