Key rotation: re-encrypt objects with a new master key #12
Description
Summary
Support rotating the master encryption key (KEK) and re-encrypting all existing objects with the new key.
Problem
Currently, if the encryption key (S3PROXY_ENCRYPT_KEY) is compromised or needs rotation per compliance policy, there's no way to re-encrypt existing objects. The only option is to download everything, change the key, and re-upload — which is error-prone and requires downtime.
Proposal
- Accept multiple KEKs: a primary (for new writes) and one or more retired keys (for reading old objects)
- Provide a CLI command or background job to re-wrap DEKs with the new KEK
- Since each object has its own DEK wrapped by the KEK, rotation only needs to re-wrap the DEK — not re-encrypt the data itself
- Track rotation progress per bucket/prefix
- Support dry-run mode
Considerations
- Zero-downtime: reads should work with both old and new KEK during rotation
- Idempotent: safe to restart if interrupted
- Should work with both single-blob and multipart encrypted objects