@M MM
Looking at your TechNet forum post and referencing your flow:
Salt Key Flow:
We will be calling Azure key vault with the client id and client secret to get the salt key
Once we receive the saltkey, we will be encrypting the string using salt key.
We send the encrypted string to vendor.
we share the Azure key vault client id and secret to vendor.
Vendor is going to call the azure key vault to get the salt key
Vendor using salt key they will decrypt the string.
This issue is more related to the actual Salt Key, than the Azure Key Vault since you're not using Azure to encrypt passwords. You're only storing keys/secrets, and utilizing the ClientID/Secret to encrypt your passwords manually. Additionally, it sounds like your main concern is - when you do rotate salt keys, can you decrypt the existing string with the new salt key.
From my understanding of key rotation, as I stated previously:
If you're encrypting your passwords, i.e. Password1 with SaltKey1: you want to rotate SaltKey1 to SaltKey2, you'll have to decrypt Password1 with SaltKey1 and re-encrypt Password1 with SaltKey2; or re-encrypt Password1 with SaltKey2. Otherwise, there'd be no way to decrypt Password1 with SaltKey2 since it was originally encrypted with SaltKey1.
- The key point is, if you plan to rotate keys, you should decrypt any old strings prior to rotating keys. Once the salt key is rotated, you can then re-encrypt those strings with the new salt key.
- If you rotate keys prior to decrypting/re-encrypting, you need to somehow "reference/re-encrypt" that password with the new key.
You also have the option of not having your keys/secrets expire.
However, if your salt key is compromised or if you plan to rotate these keys periodically you'll most likely have to go through one of the decryption/encryption scenarios I stated above.
Lastly, I reached out to my team regarding your issue and since you're manually encrypting your passwords and not using an Azure feature to do so, besides the Key Vault to store keys/secrets, this issue isn't supported. I'd recommend reaching back out to Xingyu within the TechNet forums for further guidance.
Full list of supported products
Azure encryption overview
If you have any other questions regarding this issue, please let me know.
Thank you for your time and patience throughout this issue.