Application environment:
Kubernetes
TiDB version:
v7.1.2
Reproduction method:
N/A
Problem:
When encryption at rest is enabled, you are able to rotate the master key by updating the config to reference both the prior key and the new key: Encryption at Rest | PingCAP Docs
The documentation seems a little ambiguous as to how exactly the rotation works though, and how you can safely rotate the master key multiple times.
The documentation states the old key is only needed upon restart, and then only the new key is needed from that point on; Does this correctly imply that all data is re-encrypted with the new key upon restart?
If so, does that further imply that the prior key may be removed post-restart?
Resource allocation:
N/A
Attachment:
N/A