True or False? After rotating a transit encryption key, all data encrypted with the previous version must be rewrapped or re-encrypted with the new key.
False. When a transit encryption key is rotated in Vault (e.g., via vault write -f transit/keys//rotate), the new key version becomes the default for future encryptions, but data encrypted with previous versions remains decryptable without rewrapping or re-encryption. Vault maintains a keyring with all versions, and the ciphertext prefix (e.g., vault:v1:) indicates which version was used, allowing automatic decryption with the corresponding key. This seamless handling simplifies key management and avoids mandatory data re-encryption post-rotation. Only if you set a min_decryption_version to archive older keys would rewrapping be needed, but that’s optional, not default behavior.
Option A is incorrect per Vault’s Transit documentation, which notes that old data can still be decrypted without immediate action after rotation.
[References:, Transit Secrets Engine Usage, Key Version Management, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit