Key rotation  |  Cloud KMS Documentation  |  Google Cloud (2024)

Table of Contents
Why rotate keys? How often to rotate keys Considerations for asymmetric keys What's next FAQs
Stay organized with collections Save and categorize content based on your preferences.

This topic discusses key rotation in Cloud Key Management Service. For specific instructionsto rotate a key, see Rotating keys.

Why rotate keys?

For symmetric encryption, periodically and automatically rotating keys is arecommended security practice. Some industry standards, such asPayment Card Industry Data Security Standard (PCI DSS), require the regularrotation of keys.

See Also
Data destruction using crypto-shreddingHow do you design and implement a secure key management system for your organization?How to Rotate API Keys | Veryfi, Inc. Help CenterKey Rotation Strategies for Securing Sensitive Data

Cloud Key Management Service does not support automatic rotation of asymmetric keys. SeeConsiderations for asymmetric keys below.

Rotating keys provides several benefits:

  • Limiting the number of messages encrypted with the same key version helpsprevent attacks enabled by cryptanalysis. Key lifetimerecommendations depend on the key's algorithm, as well as either the numberof messages produced or the total number of bytes encrypted with the samekey version. For example, the recommended key lifetime for symmetricencryption keys in Galois/Counter Mode (GCM) is based on the number ofmessages encrypted, as noted athttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf.

  • In the event that a key is compromised, regular rotation limits the number ofactual messages vulnerable to compromise.

    If you suspect that a key version is compromised,disable it andrevoke access to it as soon as possible.

    See Also
    How to Become Great at API Key Rotation: Best Practices and Tips

  • Regular key rotation ensures that your system is resilient to manual rotation,whether due to a security breach or the need to migrate your application to astronger cryptographic algorithm. Validate your key rotation proceduresbefore a real-life security incident occurs.

You can also manually rotate a key, either because it is compromised, or tomodify your application to use a different algorithm.

How often to rotate keys

We recommend that you rotate keys automaticallyon a regular schedule. A rotation schedule defines the frequency of rotation,and optionally the date and time when the first rotation occurs. The rotationschedule can be based on either the key's age or the number or volume ofmessages encrypted with a key version.

Some security regulations require periodic, automatic key rotation. Automatickey rotation at a defined period, such as every 90 days, increases security withminimal administrative complexity.

You should also manually rotate a key if yoususpect that it has been compromised, or when security guidelines require you tomigrate an application to a stronger key algorithm. You can schedule a manualrotation for a date and time in the future. Manually rotating a key does notpause, modify, or otherwise impact an existing automatic rotation schedule forthe key.

Do not rely on irregular or manual rotation as a primary component of yourapplication's security.

Considerations for asymmetric keys

Cloud KMS does not support automatic rotation for asymmetric keys,because additional steps are required before you can use the new asymmetric keyversion.

  • For asymmetric keys used for signing, you must distribute the publickey portion of the new key version. Afterward, you can specify thenew key version in calls to the CryptoKeyVersions.asymmetricSign methodto create a signature, and update applications to use the new key version.

  • For asymmetric keys used for encryption, you must distribute andincorporate the public portion of the new key version into applications thatencrypt data, and grant access to the private portion of the new key version,for applications that decrypt data.

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-08-07 UTC.

Key rotation  |  Cloud KMS Documentation  |  Google Cloud (2024)

FAQs

Does KMS support key rotation? ›

AWS KMS supports automatic and on-demand key rotation only for symmetric encryption KMS keys with key material that AWS KMS creates. Automatic rotation is optional for customer managed KMS keys. AWS KMS always rotates the key material for AWS managed KMS keys every year.

Read On
What is the best practice for key rotation? ›

The best practice is to rotate your keys regularly. Choose a rotation interval between one and 12 months for your root key based on your security needs. After you set a rotation policy for a root key, the clock starts immediately based on the initial creation date for the key.

Discover More Details
What is the best practice for GCP service account key rotation? ›

It is recommended to rotate keys every 90 days or less. Each GCP service account is associated with a key pair managed by Google and used for service-to-service authentication within Google Cloud. GCP provides the option to create one or more user-managed (external) key pairs for use outside your cloud account.

Continue Reading
How often should keys be rotated? ›

Automatic key rotation at a defined period, such as every 90 days, increases security with minimal administrative complexity. You should also manually rotate a key if you suspect that it has been compromised, or when security guidelines require you to migrate an application to a stronger key algorithm.

See Details
How often does GCP rotate keys? ›

Google Cloud Storage specifically rotates its KEKs every 90 days.

Find Out More
How do you ensure KMS encryption keys are rotated within a period of 90 days? ›

From Google Cloud Console

Click on 'Edit rotation period'. On the pop-up window, 'Select a new rotation period' in days which should be less than 90 and then choose 'Starting on' date (date from which the rotation period begins).

Tell Me More
What is the key rotation policy? ›

Key rotation policy

It's used to set expiration date on newly rotated key. It doesn't affect a current key. Rotation types: Automatically renew at a given time after creation (default)

Show Me More
How to handle key rotation? ›

To rotate a key with zero downtime, you'll need to create and deploy a new key before revoking the old one. If possible, monitor logs to ensure that the new key is being used after it has been deployed. Once the new key is being used by your application, you can revoke the old key.

Explore More
What is the key rotation technique? ›

Key rotation in asymmetric encryption involves the following steps:
  1. Step 1: Generate a new key pair. ...
  2. Step 2: Sign the new public key with the old private key. ...
  3. Step 3: Update systems with the new key pair. ...
  4. Step 5: Revoke and delete the old public key.
May 26, 2023

Continue Reading
Why is it called key rotation? ›

Key rotation is when a signing key is retired and replaced by generating a new cryptographic key. Rotating keys on a regular basis is an industry standard and follows cryptographic best practices.

Show Me More

What is key rotation in GCP? ›

Key rotation is the process of replacing your existing keys with new keys and then invalidating the replaced keys. We recommend that you routinely rotate all keys that you manage, including your service account keys. Rotating service account keys can help reduce the risk posed by leaked or stolen keys.

Read The Full Story
What is the best practice for access key rotation? ›

Ensure IAM access keys are rotated every 90 days

Credentials should be rotated or changed on a periodic time frame. For this reason it is considered a security best practice to rotate access keys.

See Details
How to rotate service account keys? ›

To rotate a service account key pair: In the Management Portal, browse to SSH > Service Account Keys. On the Service Account Keys page, click Rotate.

Get More Info Here
Can you store keys in KMS? ›

Yes. You can import a copy of your key from your own key management infrastructure to AWS KMS and use it with any integrated AWS service or from within your own applications.

Continue Reading
How to rotate API keys automatically? ›

Key Rotation using Dashboard
  1. Log in to your Dashboard account. Navigate to API Keys, select Create New Key.
  2. You can set the key to automatically expire by entering a date, or leave empty if you do not want the key to automatically expire.

View More
Are KMS keys region specific? ›

AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions.

View Details
Does KMS support asymmetric keys? ›

AWS KMS supports asymmetric KMS keys that represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair.

See More
Top Articles
How to Generate Your Own Electricity at Home – Powerguard
3 Must-Know Facts About Airbnb Before You Buy the Stock | The Motley Fool
Spasa Parish
Rentals for rent in Maastricht
159R Bus Schedule Pdf
Sallisaw Bin Store
Black Adam Showtimes Near Maya Cinemas Delano
Www.myschedule.kp.org
Ascension St. Vincent's Lung Institute - Riverside
Understanding British Money: What's a Quid? A Shilling?
Xenia Canary Dragon Age Origins
Momokun Leaked Controversy - Champion Magazine - Online Magazine
Maine Coon Craigslist
How Nora Fatehi Became A Dancing Sensation In Bollywood 
‘An affront to the memories of British sailors’: the lies that sank Hollywood’s sub thriller U-571
Tyreek Hill admits some regrets but calls for officer who restrained him to be fired | CNN
Haverhill, MA Obituaries | Driscoll Funeral Home and Cremation Service
Rogers Breece Obituaries
Ems Isd Skyward Family Access
Elektrische Arbeit W (Kilowattstunden kWh Strompreis Berechnen Berechnung)
Omni Id Portal Waconia
Kellifans.com
Banned in NYC: Airbnb One Year Later
Four-Legged Friday: Meet Tuscaloosa's Adoptable All-Stars Cub & Pickle
Model Center Jasmin
Ice Dodo Unblocked 76
Is Slatt Offensive
Labcorp Locations Near Me
Storm Prediction Center Convective Outlook
Experience the Convenience of Po Box 790010 St Louis Mo
Fungal Symbiote Terraria
modelo julia - PLAYBOARD
Poker News Views Gossip
Abby's Caribbean Cafe
Joanna Gaines Reveals Who Bought the 'Fixer Upper' Lake House and Her Favorite Features of the Milestone Project
Tri-State Dog Racing Results
Navy Qrs Supervisor Answers
Trade Chart Dave Richard
Lincoln Financial Field Section 110
Free Stuff Craigslist Roanoke Va
Wi Dept Of Regulation & Licensing
Pick N Pull Near Me [Locator Map + Guide + FAQ]
Crystal Westbrooks Nipple
Ice Hockey Dboard
Über 60 Prozent Rabatt auf E-Bikes: Aldi reduziert sämtliche Pedelecs stark im Preis - nur noch für kurze Zeit
Wie blocke ich einen Bot aus Boardman/USA - sellerforum.de
Infinity Pool Showtimes Near Maya Cinemas Bakersfield
Dermpathdiagnostics Com Pay Invoice
How To Use Price Chopper Points At Quiktrip
Maria Butina Bikini
Busted Newspaper Zapata Tx
Latest Posts
How to Use Gmail with Your Custom Domain Name for Free
What Is Etherscan And How To Use It?
Article information

Author: Geoffrey Lueilwitz

Last Updated:

Views: 5468

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Geoffrey Lueilwitz

Birthday: 1997-03-23

Address: 74183 Thomas Course, Port Micheal, OK 55446-1529

Phone: +13408645881558

Job: Global Representative

Hobby: Sailing, Vehicle restoration, Rowing, Ghost hunting, Scrapbooking, Rugby, Board sports

Introduction: My name is Geoffrey Lueilwitz, I am a zealous, encouraging, sparkling, enchanting, graceful, faithful, nice person who loves writing and wants to share my knowledge and understanding with you.