Publication date: May 2, 2022
CockroachDB Encryption-At-Rest (EAR) provides automatic data key rotation at a configurable interval, defaulting to every week. While the store key is set by the operator when they start CockroachDB, data keys are managed by CockroachDB's EAR layer. Data key rotation improves data security by reducing the effect of any single exposed data key, as newer data files would be encrypted with newer keys.
A bug in initialization of store and data keys on node restart led to data key rotation getting inadvertently disabled if the store key specified in the
--enterprise-encryption flag hadn't changed since the last node start.
This is resolved in CockroachDB by PR 80114.
The fix has been applied to maintenance versions v21.1.19 and v21.2.10 of CockroachDB.
This public issue is tracked by 79066.
Users of CockroachDB v20.2, v21.1, and v21.2 are encouraged to upgrade to v21.1.19, v21.2.10, or a later version of CockroachDB.
Alternatively, for the time being, users with strong requirements around data key rotation can continue to manually rotate store keys to force a data key rotation.
All clusters with encryption-at-rest enabled running versions of CockroachDB v20.2.x, v21.1.0 to v21.1.18, and v21.2.0 to v21.2.9 are impacted, except for nodes with continuous CockroachDB uptime since the last store key rotation. Impacted nodes are likely to have a larger-than-ideal proportion of their data files encrypted with the last data key, increasing the chance of a data breach if that key were to be exposed.
Please reach out to the support team for more information.