Rotate your cluster's security keys

Key Rotation

Key rotation is the act of changing the underlying cryptographic material contained in a key encryption key (KEK). It can be triggered manually, usually after a security incident where keys might have been compromised. Key rotation replaces only the single field in the key that contains the raw encryption/decryption key data.

To rotate the customer-managed encryption keys, perform the following steps:

  1. Create a new Azure Key Vault key version.

  2. After a key rotation, new Secrets will be encrypted using the new key. Old Secrets will still be decrypted using old keys. The cluster stores key information along with the cipher to aid decryption after key rotation.

    Force the cluster to re-encrypt all secrets using the new key:

    kubectl get secrets --all-namespaces -o json | \
    kubectl annotate --overwrite -f - encryption-key-rotation-time=`date +"%Y%m%d-%H%M%S"`