Data accessible from a data storage system may be considered as being in one of three states: at rest, in motion, or in use. Data at Rest is inactive data stored physically in databases, data warehouses, spreadsheets, archives, tapes, off-site backups, etc. Data in Motion is data that is traversing a network or temporarily residing in computer memory to be read or updated. Data in Use means active data under change stored physically in databases, data warehouses, etc.
Data in motion and data at rest are typically encrypted using a cryptographic key. The key may be a symmetric key or part of an encryption/decryption key pair.
A conventional approach to protecting data at rest in a storage system using cryptographic keys involves periodically updating the keys used for encrypting and decrypting the data. For example, a data storage system may either generate or otherwise acquire a new cryptographic key or key pair. The data storage system decrypts the data using the old key and re-encrypts the data using the new key.