This topic discusses key rotation in Cloud Key Management Service. For specific instructionsto rotate a key, see Rotating keys.
Why rotate keys?
For symmetric encryption, periodically and automatically rotating keys is arecommended security practice. Some industry standards, such asPayment Card Industry Data Security Standard (PCI DSS), require the regularrotation of keys.
Cloud Key Management Service does not support automatic rotation of asymmetric keys. SeeConsiderations for asymmetric keys below.
Rotating keys provides several benefits:
Limiting the number of messages encrypted with the same key version helpsprevent attacks enabled by cryptanalysis. Key lifetimerecommendations depend on the key's algorithm, as well as either the numberof messages produced or the total number of bytes encrypted with the samekey version. For example, the recommended key lifetime for symmetricencryption keys in Galois/Counter Mode (GCM) is based on the number ofmessages encrypted, as noted athttps://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf.
In the event that a key is compromised, regular rotation limits the number ofactual messages vulnerable to compromise.
If you suspect that a key version is compromised,disable it andrevoke access to it as soon as possible.
Regular key rotation ensures that your system is resilient to manual rotation,whether due to a security breach or the need to migrate your application to astronger cryptographic algorithm. Validate your key rotation proceduresbefore a real-life security incident occurs.
You can also manually rotate a key, either because it is compromised, or tomodify your application to use a different algorithm.
How often to rotate keys
We recommend that you rotate keys automaticallyon a regular schedule. A rotation schedule defines the frequency of rotation,and optionally the date and time when the first rotation occurs. The rotationschedule can be based on either the key's age or the number or volume ofmessages encrypted with a key version.
Some security regulations require periodic, automatic key rotation. Automatickey rotation at a defined period, such as every 90 days, increases security withminimal administrative complexity.
You should also manually rotate a key if yoususpect that it has been compromised, or when security guidelines require you tomigrate an application to a stronger key algorithm. You can schedule a manualrotation for a date and time in the future. Manually rotating a key does notpause, modify, or otherwise impact an existing automatic rotation schedule forthe key.
Do not rely on irregular or manual rotation as a primary component of yourapplication's security.
Considerations for asymmetric keys
Cloud KMS does not support automatic rotation for asymmetric keys,because additional steps are required before you can use the new asymmetric keyversion.
For asymmetric keys used for signing, you must distribute the publickey portion of the new key version. Afterward, you can specify thenew key version in calls to the
CryptoKeyVersions.asymmetricSign
methodto create a signature, and update applications to use the new key version.For asymmetric keys used for encryption, you must distribute andincorporate the public portion of the new key version into applications thatencrypt data, and grant access to the private portion of the new key version,for applications that decrypt data.
What's next
- Rotate a key.
- Enable or disable a key.
- Learn more about re-encrypting data.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-08-07 UTC.
[{ "type": "thumb-down", "id": "hardToUnderstand", "label":"Hard to understand" },{ "type": "thumb-down", "id": "incorrectInformationOrSampleCode", "label":"Incorrect information or sample code" },{ "type": "thumb-down", "id": "missingTheInformationSamplesINeed", "label":"Missing the information/samples I need" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]