Does BigQuery Re-Encrypt Data at Rest When Updating the kms_key with ALTER TABLE?

Question

I've been unable to find a clear explanation in the BigQuery documentation regarding the behavior of data at rest when the kms_key is updated using the ALTER TABLE statement.

Cloud KMS is set up and a key from a keyring is used to encrypt data in BigQuery. After 90 days, KMS creates a new key, and our requirement is that all BigQuery data should be encrypted only with this latest key. Since BigQuery does not automatically rotate the key, an ALTER TABLE statement or bq cp/update is needed to change the kms_key (https://cloud.google.com/bigquery/docs/customer-managed-encryption#bq_5).

After testing the ALTER TABLE statement, it was observed that BigQuery switched the key, but no scanning/writing of data was involved.

Its clear to me that freshly ingested data via BigQuery API into a table would use the new, latest key. Does the update statement of the kms_name also re-encrypt the data at rest in BigQuery? For data at rest it would seem that it would need to decrypt (using the old key) and encrypt (using the new key) again so that all data is encrypted with only one key.

What happens when the key is switched to the new one (update OPTIONS with ALTER TABLE) and, after a while, an attempt is made to read the data? Does BigQuery then use the old key to decrypt the data?

Is there any documentation that explains the behavior of BigQuery for this scenario?

Answer 1

BigQuery uses envelope encryption. This means the data is encrypted with a Google-managed data encryption key, which is then encrypted with your key, referred to as a key encryption key. So upon key rotation, the only thing that is re-encrypted is the original data encryption key. The data itself is not re-encrypted. See https://cloud.google.com/bigquery/docs/customer-managed-encryption.