what happens to my Cloud SQL instance when the KMS key rotates?

Question

My Cloud SQL is encrypted by a CMEK (via Cloud KMS) that rotates every year. Provided that my SQL instance stays up and running for over a year, what will happen to my database instance when the key rotates? Does GCP encrypts the data using the new version automatically or do I need to decrypt/re-encrypt the instance manually?

I can't find the answer from GCP documentation.

Answer 1

When you create a Cloud SQL instance with a customer managed encryption key (CMEK), the instance is encrypted with that key.

We the key rotates, nothing happens to the SQL instance. It continues to use the original key version.

If you want to re-encrypt with the new key version, you must manually re-encrypt.

The CLI supports the following command link:

gcloud sql instances reencrypt INSTANCE_NAME

Consult the following documentation for details steps using the Console and CLI:

Re-encrypt an existing CMEK-enabled instance or replica

When you re-encrypt an instance, keep note of the following limitations:

• You can't perform any other admin operations on the instance while the re-encryption operation is going on.
• The re-encryption operation triggers a downtime that depends on the instance or replica size.
• Replicas of an instance aren't re-encrypted when an instance is en-encrypted. You need to re-encrypt each replica separately.
• Backups aren't automatically re-encrypted with the new key version when you re-encrypt your instance. To restore the backup or point-in-time-recovery to a time after the backup is taken, you'll need to keep the Cloud KMS key version the backup is encrypted with.