Hi Raghav,
You can do this with a custom Keyring. Remember:
- The key returned by the keyring can have a different name than the name used to look up the key.
Use this to your advantage. Configure the encrypter to use a key with the special name “latest”. In your keyring, if the requested key name is “latest” then return the latest version of the key, using the actual key name. Otherwise do a real lookup by key name and return the key with the same name the caller asked for.
When the key is compromised, tell your Keyring there’s a new “latest” key with a different name.
Thanks,
David