Contribute in GitHub:

Rotating managed keys manually

You can rotate your managed keys on demand by using UKO.

To learn how managed key rotation works, see Managed key rotation.

Rotating managed keys with the web interface

If you prefer to rotate your managed keys by using a graphical interface, you can use the UKO web interface.

Complete the following steps to rotate a key:

Log in to UKO.
Click Managed keys from the navigation to view all the available keys.
Select the key that you want to rotate and click the Actions icon to open a list of options for the key.
Click Rotate from the options menu. Alternatively, you can click Show details from the options menu and then click Rotate on the key details page.
Click Rotate key to confirm.

Rotating managed keys with the API

To rotate a managed key through the API, follow these steps:

Retrieve your service and authentication credentials to work with keys in the service.

Rotate a managed key by making a POST call based on the following example:

curl --location --request POST 'https://<hostname>:<port>/api/v4/managed_keys/<id>/rotate' \
--header 'Authorization: Bearer <Token>' \
--header 'Accept: application/json' \
--header 'If-Match: <ETag|*>'

Replace the variables in the example request according to the following table.

Table 1. Variables needed to rotate a managed key
Variable	Description
`port`	Required. The port number of the API endpoint.
`id`	Required. The unique identifier for the managed key that you want to rotate.
`Token`	Required. Your access token that you retrieve in step 1. Include the full contents of the token, including the Bearer value.
`ETag`	Required. The precondition of the update, which is the value of ETag from the header on a GET request; you can optionally use `*` to skip checking whether the key has been modified in the meantime

For detailed instructions and code examples about using the API method, check out the Cloud API reference doc.

A successful rotation request returns an HTTP 200 OK response, which indicates that your managed key is replaced by the new key material.

What's next

To confirm whether the key rotation is successfully proceeded, you can view managed key versions.
After you rotate a managed key, new cryptographic key material becomes available for crypto operations. To learn how to rewrap data by using the latest key material, see Rewrapping data after rotating a managed key.
To find out more about programmatically managing your keys, check out the Cloud API reference doc.