About Key Rotation
Purpose of Key Rotation
Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.
The purposes of key rotation are:
- To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
- To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
- To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.
Key Rotation Methods
You can use either of the following key rotation methods:
- Manual key rotation
Replace the key in use with a new key. For example, if key A is in use, you can create key B using a new encryption material, and replace key A with key B. This achieves the same outcome as changing the key material of key A.
Take OBS as an example. To manually rotate a key, create a new CMK on the KMS console. Replace the old CMK with the new one on the OBS console.
Figure 1 Manual key rotation
- Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the CMK will not change, including its key ID, alias, description, and permissions.
Automatic key rotation has the following characteristics:
- Enable rotation for an existing CMK. KMS will automatically generate new key materials for the CMK.
- Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
Figure 2 Key rotation
- KMS uses the latest version of the CMK to encrypt data.
- When decrypting data, KMS uses the CMK version that was used to encrypt the data.
Rotation Modes
Key Type |
Rotation Mode |
|---|---|
Default master key |
Cannot be rotated. |
User-defined key (imported CMK) |
Can only be manually rotated. For more information about user-defined keys, see CMK Overview. |
Symmetric key |
Can be automatically or manually rotated. |
Asymmetric key |
Can only be manually rotated. |
Disabled CMK |
Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a CMK is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan. For more information, see Disabling One or More CMKs. |
CMKs in pending deletion state |
KMS does not rotate CMKs in pending deletion status. After you cancel the deletion of a CMK, the previous key rotation status will be restored. If the CMK has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan. For more information, see Scheduling the Deletion of One or More Keys. |
You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.
Pricing for Key Rotation
Enabling key rotation may incur additional fees. For details, see Billing Description.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
