Reputation: 9183
How frequently should I rotate my encryption keys? Can I use Cloud KMS to automatically rotate keys?
With my on-prem KMS, I rotate keys monthly. Can I also do that with Cloud KMS? Is there a better recommended frequency compared to my on-prem use? Is data re-encrypted when I rotate a key?
Upvotes: 2
Views: 5209
Answers (1)
Reputation: 9183
Your desired frequency of key rotation depends on your use case and threat model. You want to limit the amount of very sensitive data encrypted with a single version of an encryption key.
On Google Cloud Platform, Google's Cloud KMS can be set to automatically rotate keys as often as once per day. This means that a new key version is automatically generated, and made the primary version used to encrypt new data. Most customers will typically choose 30 or 90 day rotation periods, based on business requirements.
Data is not re-encrypted when a key is rotated - rather, the new key version is used to encrypt any new data, but old data is not re-encrypted. You can manually do this by decrypting and re-encrypting the data.
For further discussion on key rotation in Cloud KMS: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation
To set the rotation period on a key, using gcloud run:
gcloud beta kms cryptokeys set-rotation-schedule CRYPTOKEY_NAME \
--location LOCATION --keyring KEYRING_NAME \
--rotation-period ROTATION_PERIOD \
--next-rotation-time NEXT_ROTATION_TIME
Upvotes: 4
Related Questions
- How exactly does encryption key rotation work?
- Send trigger when a key in KMS is rotated
- Does AWS KMS key rotation automatically re-encrypt SecureString values stored in SSM parameter store?
- AWS KMS manual key rotation and old encrypted data
- How often are AWS owned CMKs rotated?
- Destroying Keys With Rotation
- Google Cloud Storage - Handle rotating keys from outside the environment
- Rotating keys and reactive reencypt data
- Is key rotation mandatory in Cloud KMS?
- Google's Key Management System: data unencryption after key rotation