Key Rotation

Introduction

Key rotation is the process in which a new version of an encryption key is created. The key fragment instances and split level remain the same throughout the versions, as well as the customer fragment associated with it (if any).
There are some constraints when rotating a key:

  • Only AES keys can be rotated.
  • Only Enabled keys can be rotated.
    A key can be set to automatically rotate every 7-365 days.
    When rotating a key, the last version of it will be used for Encryption and Decryption operations, previous versions can still be used for Decryption operations done by them.

Why would I want to rotate my keys?

Key rotation is considered a best practice for management for a few reason:

  • Like with passwords, it is advised to rotate a key every once in a while to prevent cracking. Shifting the key components around makes any progress made on cracking it obsolete.
  • Using different versions of a key allows you compartmentalize and manage a key, and any information encrypted with it.

Managing a Key in the CLI

To rotate a key in the CLI, use the following command:

  • -n,--name: The item name
akeyless rotate-key -n MyAES256SIVKey

If you wish to add a rotation schedule, add the following parameters:

  • --auto-rotate: Whether to automatically rotate every --rotation-interval days (true), or disable existing automatic rotation (false)
  • --rotation-interval: The number of days to wait between every automatic key rotation (7-365)
akeyless rotate-key -n MyAES256SIVKey --auto-rotate true --rotation-interval 30

To view the key's existing versions, use the describe item command using the following parameters:

  • -n,--name : The item name
  • --show-versions: If you want to see all the item versions
akeyless describe-item --name MyAES256SIVKey --show-versions

example output:

akeyless describe-item -n MyAES256SIVKey --show-versions
{
   "item_name": "/MyAES256SIVKey",
   "item_type": "AES256GCM",
   "item_metadata": "",
   "item_size": 32,
   "last_version": 2,
   "with_customer_fragment": false,
   "is_enabled": true,
   "public_value": "",
   "certificates": "",
   "protection_key_name": "",
   "cert_issuer_signer_key_name": "",
   "certificate_issue_details": {
      "max_ttl": 0,
      "cert_issuer_type": "",
      "ssh_cert_issuer_details": null,
      "pki_cert_issuer_details": null
   },
   "client_permissions": [
      "read",
      "list",
      "update",
      "delete",
      "create"
   ],
   "item_state": "Enabled",
   "item_versions": [
      {
         "version": 1,
         "item_version_state": "PendingDeletion",
         "deletion_date": "2020-01-30T13:00:00Z"
      },
      {
         "version": 2,
         "item_version_state": "Enabled"
      }
   ]
}

To delete a specific key version, use these parameters on the Delete Item command:

  • -n,--name : The item name
  • `--version: The version of the key you wish to delete
  • --delete-in-days: the time in days until deletion.
akeyless delete-item -n MyAES256SIVKey --version=1 --delete-in-days=30

Managing a Key in the Console

To rotate a key in the console,

  1. Go to the folder in Akeyless where you saved the desired key and select it

  2. If you wish to rotate it once, tap Rotate Key Now

  • If you wish to set an auto-rotate schedule tap Auto Rotate Configuration

  • If you wish to view and manage previous versions open the Show Previous Versions drop down menu.