Key Rotation
What is Key Rotation?
Key RotationThe periodic replacement of cryptographic keys with new ones to limit the volume of data protected by any single key and contain the impact of compromise.
Key rotation is the operational practice of regularly generating new cryptographic keys and retiring older ones, while keeping enough overlap to decrypt previously protected data. Rotation limits the amount of ciphertext or signed material that an attacker can compromise with a single stolen key, supports cryptoperiod policies (e.g., NIST SP 800-57), enables migration to stronger algorithms, and is required by standards such as PCI DSS, FIPS 140-3 and SOC 2. Common patterns include key versioning (keys numbered, e.g., v1, v2), envelope encryption with rotating data-encryption keys under a stable key-encryption key, and automated rotation via KMS services like AWS KMS, Azure Key Vault or Google Cloud KMS. Rotation must be paired with monitoring, secure key destruction, and a rollback plan for failed deployments.
● Examples
- 01
AWS KMS rotates the underlying key material of a CMK every year while keeping the same key ID.
- 02
Rotating an HMAC signing key used by an API every 90 days with a 7-day grace period.
● Frequently asked questions
What is Key Rotation?
The periodic replacement of cryptographic keys with new ones to limit the volume of data protected by any single key and contain the impact of compromise. It belongs to the Cryptography category of cybersecurity.
What does Key Rotation mean?
The periodic replacement of cryptographic keys with new ones to limit the volume of data protected by any single key and contain the impact of compromise.
How do you defend against Key Rotation?
Defences for Key Rotation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Key Rotation?
Common alternative names include: Cryptoperiod rotation, Key roll-over.