Asymmetric key rotation

This topic provides information about key rotation for asymmetric keys. If you want information about rotation of symmetric keys, see the Key rotation and Rotating keys topics.

Cloud KMS does not support automatic rotation of asymmetric keys. The reasons, and important considerations about manual rotation of asymmetric keys, are described below.

About asymmetric keys

Asymmetric keys support digital signatures and encryption. An asymmetric key consists of a private key and public key pair. Signatures are produced with the private key and can be verified with the public key. Similarly, data encrypted with the public key can be decrypted only with the private key. The private key cannot be easily derived from the public key, so the public key can be distributed widely and used for signature verification or encryption. The private key remains accessible only to the private key holder.

Rotation considerations

The impact of key rotation differs between symmetric and asymmetric keys.

Rotation of a symmetric key

The process of automatic or manual rotation of a symmetric key consists of:

  1. Creating a new key version.
  2. Updating the new key version to be primary.
  3. Begin using the new key version. You can use it in calls to the CryptoKey.encrypt method. When a subsequent call is made to the CryptoKey.decrypt method, even if the new key version is no longer primary, Cloud KMS knows which key version to use for the decryption.

When a symmetric key is used for encryption or decryption, the user specifies a key, not a key version. The user does not need to modify usage of the symmetric key — Cloud KMS handles the encryption and decryption usage on behalf of the user when a symmetric key is rotated.

Because the user does not need to modify usage of the key when a symmetric key is rotated, Cloud KMS supports automatic rotation of symmetric keys.

Rotation of an asymmetric key

The impact of rotation of an asymmetric key differs between an asymmetric key used for signatures and an asymmetric key used for encryption. In both cases the usage impact is significant enough that Cloud KMS does not support automatic rotation of asymmetric keys.

Rotation of an asymmetric key for signatures

The process of rotating an asymmetric key used for signatures consists of:

  1. Creating a new key version.

  2. Distributing the public key portion of the new key version. You can retrieve the public key using the CryptoKeyVersions.getPublicKey method.

  3. Incorporating the public key portion of the new key version in applications used for signature validation.

  4. Begin using the new key version. You can use it in calls to the CryptoKeyVersions.asymmetricSign method to create a signature. Applications that incorporate the public key returned by CryptoKeyVersions.getPublicKey can verify the signature.

Rotation of an asymmetric key for encryption

The process of rotating an asymmetric key used for encryption consists of:

  1. Creating a new key version.

  2. Distributing the public key portion of the new key version. You can retrieve the public key using the CryptoKeyVersions.getPublicKey method.

  3. Incorporating the public key portion of the new key version in applications used for encryption.

  4. Incorporating the private key portion of the new key version in applications used for decryption. You use the CryptoKeyVersions.asymmetricDecrypt method for decryption.

  5. Begin using the new key version for encryption and decryption, via calls to CryptoKeyVersions.getPublicKey and CryptoKeyVersions.asymmetricDecrypt.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation