Key Rotation

Key rotation is the operational practice of regularly generating new cryptographic keys and retiring older ones, while keeping enough overlap to decrypt previously protected data. Rotation limits the amount of ciphertext or signed material that an attacker can compromise with a single stolen key, supports cryptoperiod policies (e.g., NIST SP 800-57), enables migration to stronger algorithms, and is required by standards such as PCI DSS, FIPS 140-3 and SOC 2. Common patterns include key versioning (keys numbered, e.g., v1, v2), envelope encryption with rotating data-encryption keys under a stable key-encryption key, and automated rotation via KMS services like AWS KMS, Azure Key Vault or Google Cloud KMS. Rotation must be paired with monitoring, secure key destruction, and a rollback plan for failed deployments.