Rotating keys

A CryptoKey can have a rotation schedule which determines if and when it is automatically rotated.

To automatically rotate a key by setting a rotation period (Update a CryptoKey) or to manually rotate a key (Create a new CryptoKeyVersion), a user needs the IAM role roles/cloudkms.admin, roles/owner, or roles/editor.

Automatic rotation: Setting the rotation period for a CryptoKey

To enable automation rotation of a key, set the rotation schedule with the following gcloud command syntax:

Command-line

gcloud kms keys set-rotation-schedule CRYPTOKEY_NAME \
    --location LOCATION \
    --keyring KEYRING_NAME \
    --rotation-period ROTATION_PERIOD \
    --next-rotation-time NEXT_ROTATION_TIME

Windows cmd.exe

gcloud kms keys set-rotation-schedule CRYPTOKEY_NAME ^
    --location LOCATION ^
    --keyring KEYRING_NAME ^
    --rotation-period ROTATION_PERIOD ^
    --next-rotation-time NEXT_ROTATION_TIME

Powershell

gcloud kms keys set-rotation-schedule CRYPTOKEY_NAME `
    --location LOCATION `
    --keyring KEYRING_NAME `
    --rotation-period ROTATION_PERIOD `
    --next-rotation-time NEXT_ROTATION_TIME

Rotation schedule syntax

The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d). For example, a valid rotation schedule for use with the gcloud command could be:

rotation-period=30d
next-rotation-time=2016-10-12T12:34:56.1234Z

Create a CryptoKey with a rotation schedule

To create a new key for the KeyRing:

Command-line

gcloud kms keys create CRYPTOKEY_NAME \
    --location LOCATION \
    --keyring KEYRING_NAME \
    --purpose ENCRYPTION \
    --rotation-period ROTATION_PERIOD \
    --next-rotation-time NEXT_ROTATION_TIME

Windows cmd.exe

gcloud kms keys create CRYPTOKEY_NAME ^
    --location LOCATION ^
    --keyring KEYRING_NAME ^
    --purpose ENCRYPTION ^
    --rotation-period ROTATION_PERIOD ^
    --next-rotation-time NEXT_ROTATION_TIME

Powershell

gcloud kms keys create CRYPTOKEY_NAME `
    --location LOCATION `
    --keyring KEYRING_NAME `
    --purpose ENCRYPTION `
    --rotation-period ROTATION_PERIOD `
    --next-rotation-time NEXT_ROTATION_TIME

Where the command uses the following parameters: a new key CRYPTOKEY_NAME for the KeyRing KEYRING_NAME with rotation schedule defined by ROTATION_PERIOD and NEXT_ROTATION_TIME.

Manual rotation: Generating a new CryptoKeyVersion

To create a new CryptoKeyVersion and make it primary with gcloud, for the CryptoKey CRYPTOKEY_NAME for the KeyRing KEYRING_NAME, run

Command-line

gcloud kms keys versions create --location LOCATION \
    --keyring KEYRING_NAME \
    --key CRYPTOKEY_NAME --primary

Windows cmd.exe

gcloud kms keys versions create --location LOCATION ^
    --keyring KEYRING_NAME ^
    --key CRYPTOKEY_NAME --primary

Powershell

gcloud kms keys versions create --location LOCATION `
    --keyring KEYRING_NAME `
    --key CRYPTOKEY_NAME --primary

This is equivalent to you creating a new CryptoKeyVersion that is not primary, then making that version primary. That would require you knowing the version number VERSION_ID of the newly created CryptoKeyVersion. This is equivalent to the following in gcloud,

Command-line

gcloud kms keys versions create \
    --location LOCATION \
    --keyring KEYRING_NAME \
    --key CRYPTOKEY_NAME
gcloud kms keys set-primary-version CRYPTOKEY_NAME \
    --version VERSION_ID \
    --location LOCATION \
    --keyring KEYRING_NAME

Windows cmd.exe

gcloud kms keys versions create ^
    --location LOCATION ^
    --keyring KEYRING_NAME ^
    --key CRYPTOKEY_NAME
gcloud kms keys set-primary-version CRYPTOKEY_NAME ^
    --version VERSION_ID ^
    --location LOCATION ^
    --keyring KEYRING_NAME

Powershell

gcloud kms keys versions create `
    --location LOCATION `
    --keyring KEYRING_NAME `
    --key CRYPTOKEY_NAME
gcloud kms keys set-primary-version CRYPTOKEY_NAME `
    --version VERSION_ID `
    --location LOCATION `
    --keyring KEYRING_NAME

Disable automatic rotation

To disable an automatic rotation, clear the rotation schedule of the CryptoKey:

Command-line

gcloud kms keys remove-rotation-schedule CRYPTOKEY_NAME \
    --location LOCATION \
    --keyring KEYRING_NAME

Windows cmd.exe

gcloud kms keys remove-rotation-schedule CRYPTOKEY_NAME ^
    --location LOCATION ^
    --keyring KEYRING_NAME

Powershell

gcloud kms keys remove-rotation-schedule CRYPTOKEY_NAME `
    --location LOCATION `
    --keyring KEYRING_NAME

Setting an existing version as the primary CryptoKeyVersion

The gcloud command to make version 42 (which is enabled) the primary version of the CryptoKey dont-panic in KeyRing hitchhiker is

Command-line

gcloud kms keys set-primary-version dont-panic \
    --version 42 \
    --location global \
    --keyring hitchhiker

Windows cmd.exe

gcloud kms keys set-primary-version dont-panic 42 ^
    --location global ^
    --keyring hitchhiker

Powershell

gcloud kms keys set-primary-version dont-panic 42 `
    --location global `
    --keyring hitchhiker

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Not now Use the app

Send feedback about...

This page
Documentation feedback
Cloud KMS Documentation
Product feedback