Key rotation

Rotation in Cloud KMS

In Cloud KMS, a key rotation is represented by generating a new key version of a key, and marking that version as the primary version.

Creating a new key version generates the new cryptographic key material, and marking that key version as primary causes it to be used to encrypt any new data. Each key has a designated primary version at any point in time, which Cloud KMS uses to encrypt data.

After rotating a key, its previous key versions (which no longer are primary) are neither disabled or destroyed, and remain available for decrypting data.

Frequency of key rotation

Encryption keys may be rotated in two ways:

  • Regular rotation: Regularly rotate the encryption key used, limiting the amount of data protected by a single key. Regular rotation may be required for internal business compliance.
  • Irregular rotation: Ad-hoc rotation after a suspected incident, as an additional stopgap. Data encrypted with the previous version of the key may also need to be re-encrypted.

Having a regular rotation schedule, for example every 90 days, provides some security benefit without significant complexity. Regular rotation limits the amount of data encrypted with a single key, avoids key lock-in in case an irregular rotation is needed, and allows key version disablement to be used to restrict access to older data.

A more stringent and complex implementation could also have a disablement schedule, to re-encrypt older data and disable keys after a certain time period, e.g., 20 key versions enabled for up to 5 years of data. This is difficult to implement securely and correctly.

It is not recommended to rely solely on irregular rotation, but rather to use irregular rotation if needed in conjunction with a regular rotation schedule.

Automatic rotation

By providing a rotation schedule, Cloud KMS will automatically rotate your keys for you. A key's rotation schedule can be set using the gcloud command-line tool or via the Google Cloud Platform Console.

A rotation schedule is defined by a rotation period and a next rotation time. The rotation period is the time between when new key versions are generated automatically, and must be at least one day. The next rotation time is the date of the next scheduled rotation, which must be in the future. Automatic rotation will start at the next rotation time, and occur every rotation period thereafter.

If only the next rotation time is specified (with no rotation period), the key will be scheduled for a single rotation on that date, at which point the field will be cleared. Specifying only the rotation period without a next rotation time results in an error.

Key rotations performed manually via the CreateCryptoKeyVersion and UpdateCryptoKeyVersion methods do not affect a key's rotation schedule.

When enabling automatic rotation with the gcloud command-line tool, you can specify any length of time for the rotation period. When enabling automatic rotation in the GCP Console, the rotation period offers common options (e.g., 30 days) but you can also set it to a custom number of days.

Manual rotation

Manual rotation can be used for irregular key rotation, as well as for regular key rotation managed outside of Cloud KMS. Keys can be manually rotated using the gcloud command-line tool or via the GCP Console.

Rotation considerations

  • Using the key rotation commands above, key rotation does NOT re-encrypt already encrypted data with the newly generated key version. If you suspect unauthorized use of a key, you should re-encrypt the data protected by that key and then disable or schedule destruction of the prior key version.
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud KMS Documentation