Consider the following scenario:
- System has some sensitive data stored in DB
- This sensitive data is encrypted using aes_encrypt, and then saved to DB
- aes key changes
- Sensitive data is gone :S
How about creating a hook_aes_key_change (better naming is welcome, this is just to explain the idea). This hook would provide both the old key, and the new key, and who this key belongs to. This would allow us to decrypt, and then re-encrypt the data with the new key. Thus avoiding losing the data.