This page describes how to rotate keys for MACsec for Cloud Interconnect.
To rotate keys, you complete the following:
- Create a new key with a start date after existing keys.
- Add the new key to your on-premises router.
- Wait for the new key's start time.
- Verify that the new key is active.
- Delete the oldest key.
You can create up to five pre-shared keys with start times that you specify. The keys' start times must be in increasing order, and not within six hours of the previous key's start time. To rotate a key that you no longer want to use, you remove the key.
Pre-shared keys don't expire. When you configure more than one key, then all keys must have a start time configured.
Required roles
To get the permissions that you need to retrieve MACsec keys,
ask your administrator to grant you the
Compute Network Admin (roles/compute.networkAdmin) IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
If you choose to use custom roles, ensure that your custom role for
administrating MACsec for Cloud Interconnect includes the
compute.interconnects.getMacsecConfig IAM permission.
Optional: Update existing key start time
If you have a key without a start time and attempt to create a new key, Cloud Interconnect displays an error. To fix the start time, select one of the following options to set a start time for the existing key:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the connection that you want to modify.
On the MACsec tab, go to the Pre-shared keys section, and then click Managed pre-shared keys.
In the Start time field, select or enter a new start time.
Click Submit
gcloud
gcloud compute interconnects macsec update-key INTERCONNECT_CONNECTION_NAME \
--key-name=KEY_NAME \
--start-time=START_TIME
Replace the following:
INTERCONNECT_CONNECTION_NAME: the name of your Cloud Interconnect connectionKEY_NAME: the name of the key to updateSTART_TIME: the time that this key is valid from in ISO 8601 format—for example,2023-07-01T21:00:01.000Z
Create a new key
To add a new key, select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the connection that you want to modify.
On the MACsec tab, go to the Pre-shared keys section, and then click Managed pre-shared keys.
Click Add key.
Specify the details of the pre-shared key:
Key Name: a name for the key. This name is displayed in the Google Cloud console and is used by the gcloud CLI to reference the key, such as
psk-2.Start time: the time that the key is valid from. Ensure that the new pre-shared key's start time is at least six hours after the start time of the previous key.
To add additional pre-shared keys, click Add key. Consecutive pre-shared keys must have start times at least six hours apart.
Click Submit.
gcloud
gcloud compute interconnects macsec add-key INTERCONNECT_CONNECTION_NAME \ --key-name=KEY_NAME \ --start-time="START_TIME"Replace the following:
INTERCONNECT_CONNECTION_NAME: the name of your Cloud Interconnect connectionKEY_NAME: a name for the keySTART_TIME: the time that this key is valid from in ISO 8601 format—for example,2023-07-01T21:00:01.000Z
As a best practice, we recommend that you set a start time for all keys that you create for MACsec for Cloud Interconnect.
To list existing keys and note the new key's connectivity association key (CAK) and the connectivity association key name (CKN), select one of the following options:
Console
In the Pre-shared keys section, find the name of the pre-shared key that you added, then click View. A window displays the connectivity association key (CAK) and the connectivity association key name (CKN). Click Copy next to either value to copy the value to your computer's clipboard.
Click Close.
gcloud
gcloud compute interconnects macsec get-config INTERCONNECT_CONNECTION_NAMEThe output is similar to the following:
preSharedKeys: - name: key1 ckn: 0101010189abcdef...0123456789abcdef cak: 0123456789abcdef...0123456789abcdef startTime: 2023-07-01T12:12:12Z - name: key2 ckn: 0202020289abcdef...0123456789abcdef cak: 0123456889abcdef...0123456789abcdef startTime: 2023-08-01T12:12:12ZIn this example,
key2is the newly added key.Add the new key's start time, CAK, and CKN values to your on-premises router's configuration.
Google's edge routers use the key with the most recent start time and automatically switch to the next key as time progresses. All configured keys have infinite expiration times. This means that to complete a key rotation, you must remove the old key that you don't want used.
Verify the active key
Complete the following steps:
To list existing keys, select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the connection that you want to view.
On the MACsec tab, the Pre-shared keys section lists all pre-shared keys for this connection.
gcloud
gcloud compute interconnects macsec get-config INTERCONNECT_CONNECTION_NAMEThe output is similar to the following:
preSharedKeys: - name: key1 ckn: 0101010189abcdef...0123456789abcdef cak: 0123456789abcdef...0123456789abcdef startTime: 2023-07-01T12:12:12Z - name: key2 ckn: 0202020289abcdef...0123456789abcdef cak: 0123456889abcdef...0123456789abcdef startTime: 2023-08-01T12:12:12ZNote the CKN value for the key listed before the last key.
To verify that the active key is listed before removing the old key, select one of the following options:
Console
- In the Pre-shared keys section, verify that the new key displays a Key status of Active, in use.
gcloud
gcloud compute interconnects get-diagnostics INTERCONNECT_CONNECTION_NAMEThe output is similar to the following; look for
macsec:bundleAggregationType: BUNDLE_AGGREGATION_TYPE_STATIC bundleOperationalStatus: BUNDLE_OPERATIONAL_STATUS_UP links: - circuitId: LOOP-0 googleDemarc: fake-local-demarc-0 lacpStatus: googleSystemId: '00:11:22:33:44:55' neighborSystemId: '55:44:33:22:11:00' state: ACTIVE macsec: ckn: 0202020289abcdef...0123456789abcdef operational: true operationalStatus: LINK_OPERATIONAL_STATUS_UP receivingOpticalPower: state: OK value: -2.49 transmittingOpticalPower: state: OK value: -0.88 macAddress: 00:11:22:33:44:55The
gcloud compute interconnects get-diagnosticscommand displays the active key's CKN value. If you have more than one key configured, then the key with the latest start time is selected as the active key. Google's edge routers reject any new MACsec sessions that attempt to use the older keys.
Remove the old key
As a safety precaution, MACsec for Cloud Interconnect prevents you from removing the last active key.
To remove the old key, complete the following steps:
Remove the old key from your on-premises router configuration. This ensures that the old key isn't used by your on-premises router before you delete the old key from Cloud Interconnect.
To remove the old key from your Cloud Interconnect connection configuration, select one of the following options:
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Select the connection that you want to view.
On the MACsec tab, go to Pre-shared keys, select the key you want to delete, and then click Delete.
In the Pre-shared keys section, verify that the new key displays a Key status of Active, in use and that the key you wanted to delete is no longer listed.
gcloud
Run the following command:
gcloud compute interconnects macsec remove-key INTERCONNECT_CONNECTION_NAME \ --key-name=KEY_NAMEReplace the following:
INTERCONNECT_CONNECTION_NAME: the name of your Cloud Interconnect connectionKEY_NAME: the name of your key
To verify that you removed the correct key, run the following command:
gcloud compute interconnects macsec get-config INTERCONNECT_CONNECTION_NAMEThe output is similar to the following:
preSharedKeys: - name: key2 ckn: 0202020289abcdef...0123456789abcdef cak: 0123456889abcdef...0123456789abcdef startTime: 2023-08-01T12:12:12Z