Contribute in GitHub:
Open doc issue|Edit online
Managed key rotation
You can manually rotate managed keys in UKO on demand. Key rotation takes place when you retire the original key material of the managed key and you generate new cryptographic key material to take its primary place.
Rotating keys regularly helps you meet industry standards and cryptographic best practices.
Tip:
Key rotation is treated in the NIST Special Publication 800-57, Recommendation for Key Management. To learn more, see NIST SP 800-57 Pt. 1 Rev. 5
Note that key rotation might charge extra fees depending on the type of your managed key. For the pricing details, refer to the following links:
- AWS Key Management Service keys: AWS Key Management Service Pricing
- Azure Key Vault keys: Azure Key Vault pricing
- Google Cloud KMS keys: Google Cloud Key Management Service Pricing.
- IBM Key Protect keys: No extra fees. For more information, see Key Protect pricing.
How managed key rotation works
When you rotate a managed key, new key material is automatically generated , the key is transitioned into the Active state and becomes available for cryptographic operations. The key IDs in keystores can also change, depending on the keystore type.
The following diagram shows a contextual view of the key rotation functionality.
Depending on the key type, managed keys in certain states are not eligible for key rotation. Before you rotate a managed key, make sure to check the following table. The Checkmark icon 
indicates that the managed key in this state is eligible for rotation. For more information about the different key states, see Monitoring the lifecycle of encryption keys in Unified Key Orchestrator.
| Key type | Pre-active | Active | Deactivated | Destroyed |
|---|---|---|---|---|
| AWS Key Management Service keys | N/A | |
|
N/A |
| Azure Key Vault keys | N/A | |
|
N/A |
| Google Cloud KMS keys | N/A | |
|
N/A |
| IBM Cloud KMS keys | N/A | |
N/A | N/A |
| IBM Key Protect keys | N/A | |
N/A | N/A |
| z/OS keys |
|
|
|
|
Impact of key template on key rotation
If your key naming scheme contains a system placeholder, the key cannot be rotated. In addition, the following rules apply:
| Key type | When can the key be rotated |
|---|---|
| AWS Key Management Service keys | If there are NO system placeholders in the main naming scheme |
| Azure Key Vault keys | If there are NO system placeholders in the main naming scheme OR key instance naming scheme |
| Google Cloud KMS keys | If there are NO system placeholders in the main naming scheme OR key instance naming scheme |
| IBM Cloud KMS keys | If there are NO system placeholders in the main naming scheme OR key instance naming scheme |
| IBM Key Protect keys | If there are NO system placeholders in the main naming scheme OR key instance naming scheme |
| z/OS keys | If there are NO system placeholders in the main naming scheme AND either Deactivate previous key version on rotation is checked or there is a system placeholder on key instance naming scheme |
In general, the name of your managed key will stay the same after managed key rotation. If your key instance naming scheme contains a system placeholder,
the name of the new key will be updated according to this system placeholder. For example, imagine that you have a key template that specifies KEY.<environent> as key naming scheme and KEY.<environent>.<seqno> as key instance naming scheme. When you created your first key, you got prompted to specify the <environment> tag and specified TEST. Your managed key got created with the name of KEY.TEST. The
name of the key in the keystore is KEY.TEST.00001. When you rotate this key, the new version's name of the managed key will remain KEY.TEST. In the keystore, the name of the new version will be KEY.TEST.00002 because the sequence number placeholder <seqno> got updated.
What happens to the previous key versions?
After key rotation, the service retains the previous key versions and materials until the managed key is deleted, but you can no longer edit these key materials and the key state might change. The following table lists the detailed changes and the corresponding actions that are available for previous key versions.
Available for protecting means that the following operations can be performed: encryption, wrapping, signing.
Available for processing means that the following operations can be performed: decryption, unwrapping, verification.
| Key type | Key state changes | Available for protecting | Available for processing | Description |
|---|---|---|---|---|
| AWS Key Management Service keys | Remain the same (default option) or changed to Deactivated state based on the key template properties | |
|
For more information, see Rotating AWS KMS keys. |
| Azure Key Vault keys | Remain the same (default option) or changed to Deactivated state based on the key template properties | |
|
For more information, see Configure cryptographic key auto-rotation in Azure Key Vault |
| Google Cloud KMS keys - Other key types except AES keys | Remain the same (default option) or changed to Deactivated state based on the key template properties | |
|
For more information, see Key rotation and Rotating keys. |
| Google Cloud KMS keys - AES keys | Remain the same (cannot be changed by the user) |
|
|
For more information, see Key rotation and Rotating keys. |
| IBM Cloud KMS keys | Automatically move to Deactivated state (can not be changed by the user) |
|
|
The previous key material can no longer be used for encryption, but it remains available for unwrap operations. When you use the rotated manage key to decrypt data, the service uses the same version of the key material that was used for encryption, and then rewraps data by using the latest key material. |
| IBM Key Protect keys | Automatically move to Deactivated state (can not be changed by the user) |
|
|
The previous key material can no longer be used for encryption, but it remains available for unwrap operations. When you use the rotated manage key to decrypt data, the service uses the same version of the key material that was used for encryption before, and then rewraps data by using the latest key material. For more information, see Rotating your keys. |
| ICSF/CKDS PE keys | Remain the same (default option) or changed to Deactivated state based on the key template properties | |
|
The previous key remains in the keystore, maintaining its full capabilities. Be aware that the key can still expire. When a key expires, it can no longer be used in cryptographic operations. The expiration date must be changed to allow use of the key. |
How often should keys be rotated?
The best practice is to rotate your manage keys regularly. Unified Key Orchestrator allows no more than one key rotation per hour for each key.
Rewrapping data after rotating a managed key
After a managed key rotation is complete, new key material becomes available for cryptographic operations. To ensure that your data is protected by the latest version of a managed key, rewrap your data after you rotate a managed key. Depending on your key type, refer to the following table for corresponding instructions.
| Key type | Instructions for rewrapping data |
|---|---|
| AWS Key Management Service keys | Rewrapping data with AWS Key Management Service. |
| Azure Key Vault keys | Azure key vault documentation. |
| Google Cloud KMS keys | Rewrapping data with Google Cloud KMS. |
| IBM Key Protect keys | Rewrapping data with IBM Key Protect. |
| PE keys |
|
What's next
- For more information about how to manually rotate a managed key, see Rotating managed keys.
- For more information about how to edit managed keys, see Editing key details.