Enabling Key Rotation

KMS allows you to periodically rotate keys to enhance security for keys and service data. This section describes how keys are rotated in KMS and how to configure key rotation.

By default, automatic key rotation is disabled for a custom key. Every time you enable key rotation, KMS automatically rotates custom keys based on the rotation period you set. Once key rotation is enabled, certain fees will be charged. For details, see How Is Rotation Charged for a CMK?.

Purpose of Key Rotation

Keys that are widely or repeatedly used are insecure. To enhance the security of encryption keys, you are advised to periodically rotate keys and change their key materials.

The purposes of key rotation are:

To reduce the amount of data encrypted by each key.
A key will be insecure if it is used to encrypt a huge number of data. The amount of data encrypted a key refers to the total number of bytes or messages encrypted using the key.
To enhance the capability of responding to security events.
In your initial system security design, you shall design the key rotation function and use it for routine O&M, so that it will be at hand when an emergency occurs.
To enhance the data isolation capability.
The ciphertext data generated before and after key rotation will be isolated. You can identify the impact scope of a security event based on the key involved and take actions accordingly.

Key Rotation Methods

You can use either of the following key rotation methods:

Manual key rotation
Method 1: Create a key B to replace the currently used key A.

Method 2: Modify the key A and use it.

An example command is provided as follows:

Take OBS as an example. To manually rotate a key, create a custom key on the KMS console. Replace the old custom key with the new one on the OBS console.

Figure 1 Manual key rotation
Automatic key rotation
KMS automatically rotates keys based on the configured rotation period (365 days by default). The system automatically generates a new key to replace the key in use. Automatic key rotation only changes the key material of a CMK. The logical attributes of the key will not change, including its key ID, alias, description, and permissions.

Automatic key rotation has the following characteristics:
1. Enable rotation for an existing custom key. KMS will automatically generate new key materials for the custom key.
2. Data is not re-encrypted in an automatic key rotation. The DEK generated using the CMK is not automatically rotated, and data that has been encrypted using the CMK will not be encrypted again. If a DEK has been leaked, automatic rotation cannot contain the impact of the leakage.
Figure 2 Key rotation

KMS retains all versions of a custom key, so that you can decrypt any ciphertext encrypted using the custom key.

KMS uses the latest version of the custom key to encrypt data.
When decrypting data, KMS uses the custom key version that was used to encrypt the data.

Rotation Modes

**Table 1** Key rotation modes
Key Type	Rotation Mode
Default key	Cannot be rotated.
Custom key	Keys can be rotated automatically or manually, depending on the key algorithm type. Symmetric key: Can be automatically or manually rotated. Asymmetric key: Can only be manually rotated.
Disabled CMK	Disabled CMKs are not rotated. KMS keeps their rotation status unchanged. After a custom key is enabled, if it has been used for longer than the rotation period, KMS will immediately rotate keys. If the custom key has been used for shorter than the rotation period, KMS will implement the original rotation plan.
CMKs in pending deletion state	KMS does not rotate CMKs in pending deletion status. After you cancel the deletion of a CMK, the previous key rotation status will be restored. If the custom key has been used for longer than the rotation period, KMS will immediately rotate keys. If the CMK has been used for shorter than the rotation period, KMS will implement the original rotation plan.

You can check the rotation details on the Rotation Policy page, including the last rotation time and number of rotations.

Constraints

A disabled custom key is never rotated, even if rotation is enabled for it.
KMS resumes rotation when this custom key is enabled. If you enable this custom key after one rotation period has passed, KMS will rotate it within 24 hours.
Only CMKs can be rotated.
Only symmetric keys can be rotated.
Key rotation is supported only for enabled keys with KMS-generated key materials.
Enabling key rotation may incur additional fees. For details, see Billing Description.

Enabling Key Rotation

Log in to the DEW console.
Click in the upper left corner and select a region or project.

Click the custom key name to access it details page.
Click the Rotation Policy tab. The rotation switch is displayed.
Click to enable key rotation.

Configure the rotation period and click OK, as shown in Figure 3. For more information, see Table 2.

Figure 3 Enabling key rotation
Click to enlarge

**Table 2** Key rotation parameters
Parameter	Description
Key rotation	Rotation switch. The default status is . : disabled : enabled After rotation is enabled, the key will be rotated based on your set period. NOTE: A disabled custom key is never rotated, even if rotation is enabled for it. KMS resumes rotation when this custom key is enabled. If you enable this custom key after one rotation period has passed, KMS will rotate it within 24 hours.
Rotation Period (day)	Rotation period (day). The value is an integer ranging from 30 to 365. The default value is 365. Configure the period based on how often a custom key is used. If it is frequently used, configure a short period. Otherwise, set a long one.

Check rotation details, as shown in the following figure.

Figure 4 Key rotation details

You can click to change the rotation period. After the period is changed, KMS rotates the key by the new period.