Hi EL OUAFI Omar,
The way to do that is to implement envelope encryption.
Here is a link to that concept:
https://cloud.ibm.com/docs/key-protect?topic=key-protect-envelope-encryption
But your old data needs to be reprocessed for envelope encryption too. Depending on the data volume, I would choose to decrypt/encrypt everything once a year or implement envelope encryption.
If you consider the first one, create data deletion routines for data that is not required in processes and reports anymore (clean up old data).
Go Make It
Hi, is it a requirement to change the key from the already encrypted data?
If so i don’t see another option than to decrypt all the data with the old key and encrypt it again with the new key.
Would it not be an option to have one key for each year for example?