As calling the datakey endpoint (using AES-GCM) of the transit engine generates a whole new key every time, If I am not missing anything, I don’t really need to worry about having a complex process for:
- Calculating nonce(iv) - to make sure it has some sort of counter and avoid possibility to use the same one more than once by the same app (for a huge volume of encryption operations).
- Key rotation/Re-keying - having a periodic process that after rotating the transit key, having to go back to already encrypted data and re-encrypt it using a new data key wrapped with the new version of its master key.
Or am I missing something in regards to the best practices and cryptography principles that would require that I really put logic on my app to take care of these 2 items?