We call classic keys distributed to cloud KMS providers - "managed keys".
Only classic keys can be distributed to cloud KMS providers.
Once you associate a classic key with the KMS Provider target, a copy of the key material is securely transferred to this Cloud KMS Provider in accordance with its key import specification.
Key rotation is performed through the Akeyless Vault. Only AES keys that were generated by Akeyless can be rotated. You can either set up a key rotation interval to rotate the keys automatically or rotate them manually.
Please keep in mind that in Salesforce Data and Analytics keys can be rotated only once in 24 hours, and SearchIndex keys can be rotated once in 7 days.
Once you disable/enable the key in Akeyless, it gets automatically disabled/enabled in the Cloud KMS.
To disable or enable the key, use the following command:
akeyless set-item-state --name <Key Name> --desired-state <Disabled/Enabled>
Please keep in mind that in Salesforce you're not allowed to disable the active key. You'll need to wait for this key to rotate.
To delete the managed key from the Cloud KMS, you need to remove its association with targets. When association with targets is removed, the key will be deleted from Cloud KMS Providers defined in those targets (but will be preserved in the Akeyless KMS).
To delete the association between the key and the target, use the following command:
akeyless delete-assoc-target-item -n <Key Name>
As a result, all associations of the specified key will be deleted. If you use a
target-name parameter, only the association with a certain target will be deleted.
To delete a classic key from the Akeyless KMS you can use the
delete-item command. When you delete the key that is associated with a Cloud KMS target, the key is deleted from both the Akeyless KMS and the Cloud KMS.
Please keep in mind that in Salesforce you're not allowed to delete the active key.
Updated 5 months ago