How to deal with key rotation and ProtectKeysWithAzureKeyVault

[Duke4848]

The current situation:

• I have some unprotected data protection keys stored in a file storage
• In the key vault I have key for encryption of next generated data protection keys(no keys have been yet generated while this key exists)

Desired situation:

-The next generated data-protection keys are gonna be encrypted with the newest key existing in keyvault
-Generation of newer key for the encryption will not get in the way of decrypting older data-protection keys

My question is when I use ProtectKeysWithAzureKeyVault , how to rotate the key for encryption of data-protection keys and what to do to ensure that I won't break usage of previous data-protection keys.

[blowdart]

If you're using the same key store, just with a new protection mechanism it'll be fine. The keys themselves contain information on how to unprotect them, and plain text ones should "just work" even if newer ones are encrypted.