Can SOPS be used with AWS KMS keys that have automatic rotation turned on?

[imoisharma]

I was looking for this issue https://github.com/mozilla/sops/issues/1135 and I am wondering does the SOPS now supports w/ an AWS KMS key that has automatic rotation.

/kind information /kind looking-for-clear-answer /kind support

[dmore]

rotation does not change the kms id.

[yogeek]

@dmore the key is not modified but the content of the key is...so can you please be more specific about the implications on sops ?

As stated in the linked issue #1135, the documentation says :

When you enable automatic key rotation for a KMS key, AWS KMS generates new cryptographic material for the KMS key every year.

So what will be the behavior in the following scenario : a sops secret has been encrypted with the version N of the 'id1' KMS key; after 1 year, the key is rotated so the N+1 version of 'id1' key will contain different cryptographic material : what about all the secret that have been encrypted with the old version ? Sops must use the old content to decrypt them so is sops able to use the 'id1' key history to decrypt ? Or do we have to encrypt all our secrets again to be able to go on with the N+1 version of the key ?