I've been unable to find a clear explanation in the BigQuery documentation regarding the behavior of data at rest when the kms_key is updated using the ALTER TABLE statement.
Cloud KMS is set up and a key from a keyring is used to encrypt data in BigQuery. After 90 days, KMS creates a new key, and our requirement is that all BigQuery data should be encrypted only with this latest key. Since BigQuery does not automatically rotate the key, an ALTER TABLE statement or bq cp/update is needed to change the kms_key (https://cloud.google.com/bigquery/docs/customer-managed-encryption#bq_5).
After testing the ALTER TABLE statement, it was observed that BigQuery switched the key, but no scanning/writing of data was involved.
Its clear to me that freshly ingested data via BigQuery API into a table would use the new, latest key. Does the update statement of the kms_name also re-encrypt the data at rest in BigQuery? For data at rest it would seem that it would need to decrypt (using the old key) and encrypt (using the new key) again so that all data is encrypted with only one key.
What happens when the key is switched to the new one (update OPTIONS with ALTER TABLE) and, after a while, an attempt is made to read the data? Does BigQuery then use the old key to decrypt the data?
Is there any documentation that explains the behavior of BigQuery for this scenario?