Generates a new key and sets it as the master key in an existing keyset.
Syntax
binary ROTATE_KEYSET(binary <keyset>, string <key_type> [, string <description>])Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
keyset | Yes | BINARY | The keyset to rotate. |
key_type | Yes | STRING | The algorithm for the new key. Valid values: AES-GCM-256, AES-SIV-CMAC-128, AES-SIV-CMAC-256. |
description | No | STRING | A description of the new data key. |
Choosing a `key_type`:
`AES-GCM-256` — Authenticated Encryption with Associated Data (AEAD). Use this for most encryption scenarios where you need both confidentiality and integrity verification.
`AES-SIV-CMAC-128` — Deterministic authenticated encryption. Produces the same ciphertext for the same plaintext, which makes it suitable for use cases that require equality checks on encrypted data.
`AES-SIV-CMAC-256` — Same as
AES-SIV-CMAC-128but uses a 256-bit key for a higher security margin.
Return value
Returns a keyset of the BINARY type. The returned keyset contains all existing keys plus the newly generated key, with the new key set as the master key.
Usage notes
The returned keyset is of the BINARY type. To store or display it as a string, use HEX to convert BINARY to STRING. To convert it back, use UNHEX.
Rotating a keyset does not remove existing keys. Data encrypted with an older key remains decryptable after rotation.
To encrypt data with the rotated keyset, pass the result of
ROTATE_KEYSETto ENHANCED_SYM_ENCRYPT.
Example
Rotate a keyset by adding a new AES-SIV-CMAC-256 key:
SELECT ROTATE_KEYSET(
UNHEX('0A1072384D715A414541385044643351534C12580A330A0B4145532D47434D2D323536122026A8FB1126DF4F5B5DD03C180E6919565D7716CBB291815EFB5BBF30F8BEF9AF1801200210011A1072384D715A414541385044643351534C20022A0B68656C6C6F20776F726C64'),
'AES-SIV-CMAC-256',
'hello world'
);The returned keyset contains the original AES-GCM-256 key and the newly added AES-SIV-CMAC-256 key set as the master key:
+------------+
| _c0 |
+------------+
| =0A=10BVIuZQEAcHHPLfn1=12X=0A3=0A=0BAES-GCM-256=12=20&=A8=FB=11&=DFO[]=D0<=18=0Ei=19V]w=16=CB=B2=91=81^=FB[=BF0=F8=BE=F9=AF=18=01=20=02=10=01=1A=10r8MqZAEA8PDd3QSL=20=02*=0Bhello=20world=12}=0AX=0A=10AES-SIV-CMAC-256=12@=9D=AD=B7=D6=AF=01=B2=9D=CE=C3=02y=A9=DB=E1=17q>'F=DC=F5=EF=FFI=7F=F0w)=95F=07>=9C=EDqn=DF=0E=1E=16bP&=D3=7F>gV=CBl=8AGJCm=93=FF=F9=96=AD=1A=C0=BC=18=01=20=02=10=01=1A=10BVIuZQEAcHHPLfn1=20=02*=0Bhello=20world |
+-----------+What's next
| Topic | Description |
|---|---|
| Use keysets | End-to-end guide for keyset-based encryption and decryption in MaxCompute. |
| NEW_KEYSET | Create a keyset with a specified algorithm. |
| ADD_KEY_TO_KEYSET | Add a key to an existing keyset and set it as the master key. |
| ROTATE_WRAPPED_KEYSET | Rotate a wrapped keyset that is protected by a KMS key. |
| KEYSET_TO_JSON | Convert a BINARY keyset to a readable JSON string. |
| KEYSET_FROM_JSON | Convert a JSON keyset back to the BINARY type. |
Describes the ROTATE_KEYSET function. The function allows the system to automatically produce a new key and configure the new key as the master key. | |
| NEW_WRAPPED_KEYSET | Create a keyset wrapped by a Key Management Service (KMS) customer master key (CMK). |
| REWRAP_KEYSET | Re-encrypt a wrapped keyset with a specified KMS key. |
| USE_WRAPPED_KEYSET | Convert a wrapped keyset to a basic keyset for use in encryption or decryption functions. |
| ENHANCED_SYM_ENCRYPT | Encrypt data using a keyset. |
| ENHANCED_SYM_DECRYPT | Decrypt data using a keyset. |