Rotation in Cloud KMS
In Cloud KMS, a key rotation is represented by generating a new key version of a key, and marking that version as the primary version.
Creating a new key version generates the new cryptographic key material, and marking that key version as primary causes it to be used to encrypt any new data. Each key has a designated primary version at any point in time, which Cloud KMS uses to encrypt data.
After rotating a key, its previous key versions (which no longer are primary) are neither disabled or destroyed, and remain available for decrypting data.
Frequency of key rotation
Encryption keys may be rotated in two ways:
- Regular rotation: Regularly rotate the encryption key used, limiting the amount of data protected by a single key. Regular rotation may be required for internal business compliance.
- Irregular rotation: Ad-hoc rotation after a suspected incident, as an additional stopgap. Data encrypted with the previous version of the key may also need to be re-encrypted.
Having a regular rotation schedule, for example every 90 days, provides some security benefit without significant complexity. Regular rotation limits the amount of data encrypted with a single key, avoids key lock-in in case an irregular rotation is needed, and allows key version disablement to be used to restrict access to older data.
A more stringent and complex implementation could also have a disablement schedule, to re-encrypt older data and disable keys after a certain time period, e.g., 20 key versions enabled for up to 5 years of data. This is difficult to implement securely and correctly.
It is not recommended to rely solely on irregular rotation, but rather to use irregular rotation if needed in conjunction with a regular rotation schedule.
By providing a rotation schedule, Cloud KMS will automatically
rotate your keys for you. A key's rotation schedule can be set using the
gcloud command-line tool or via the Google Cloud Platform Console.
A rotation schedule is defined by a rotation period and a next rotation time. The rotation period is the time between when new key versions are generated automatically, and must be at least one day. The next rotation time is the date of the next scheduled rotation, which must be in the future. Automatic rotation will start at the next rotation time, and occur every rotation period thereafter.
If only the next rotation time is specified (with no rotation period), the key will be scheduled for a single rotation on that date, at which point the field will be cleared. Specifying only the rotation period without a next rotation time results in an error.
Key rotations performed manually via the
UpdateCryptoKeyVersion methods do not affect a key's rotation schedule.
When enabling automatic rotation with the
gcloud command-line tool, you can
specify any length of time for the rotation period. When enabling automatic
rotation in the GCP Console, the rotation period offers common
options (e.g., 30 days) but you can also set it to a custom number of days.
Manual rotation can be used for irregular key rotation, as well as for regular
key rotation managed outside of Cloud KMS. Keys can be manually
rotated using the
gcloud command-line tool or via the GCP Console.