All Products
Search
Document Center

Key Management Service:Configure key rotation

Last Updated:Dec 08, 2023

Key Management Service (KMS) provides the key rotation feature. You can rotate keys on a regular basis to enhance the security of keys and improve the security of business data. This topic describes how key rotation works and how to configure key rotation in KMS.

Benefits of key rotation

  • Reduces the amount of data that is encrypted by using each key, which mitigates the risks of cryptanalysis attacks

    The security of a key is inversely proportional to the amount of data that is encrypted by using the key. In most cases, the amount refers to the total number of bytes that are encrypted by using a key. Automatic rotation reduces the attack surface of each key and improves the security of key-based encryption solutions.

  • Helps you handle security events

    The key rotation feature is designed to help you handle security events.

  • Reduces the time window during which keys can be cracked

    After key rotation is enabled, the data that is encrypted by using an existing key can be encrypted by using a new key. The interval of key rotation is considered the time window during which a key can be cracked. An attacker can gain data access only if the attacker cracks a key in an interval between two rotation operations of the key. This greatly increases the security of data against cryptanalytic attacks.

  • Meets the requirements of regulatory compliance

    Automatic key rotation facilitates compliance with various regulations, including but not limited to the following regulations:

    • Payment Card Industry Data Security Standard (PCI DSS)

    • Cryptography-related industrial standards issued by State Cryptography Administration, such as GM/T 0051-2016 Cryptography device management - Specifications of symmetric key management technology

    • Cryptography-related standards issued by the National Institute of Standards and Technology (NIST), such as NIST Special Publication 800-57 Recommendation for Key Management

How key rotation works

KMS supports multiple versions of keys. Different versions of a key are cryptographically unrelated. During key rotation, KMS generates a new key version and uses the latest key version for cryptographic operations. You cannot specify a key version.

Note
  • Key rotation only adds key versions. Key rotation does not change the attributes of a key, such as the ID, Alibaba Cloud Resource Name (ARN), and alias.

  • KMS does not delete key versions. The key versions of key are deleted only when the key is deleted.

After a key is created, KMS generates an initial key version and sets the initial key version to the primary version. After the key is rotated, KMS generates a new key version and sets the new key version to the primary version.

image..png

If automatic rotation is configured, the next rotation time is calculated by using the following formula: Next rotation time = Last rotation time + Rotation period.

Note
  • To view the next rotation time and last rotation time, call the DescribeKey operation. In the response, LastRotationDate indicates the last rotation time, and NextRotationDate indicates the next rotation time, which is calculated by KMS.

  • If automatic rotation is configured and an immediate rotation operation is performed between two rotation operations, the last rotation time is the time of the immediate rotation.

Keys that support automatic rotation

  • Symmetric keys in KMS instances of the software key management type and default keys support automatic rotation.

  • Keys whose key material is generated by KMS support automatic rotation. Keys that use your own key material do not support automatic rotation.

  • Keys in the Enabled state support automatic rotation. If a key is in the Disabled or Pending Deletion state, KMS suspends the key rotation feature that is enabled. If the key is re-enabled, the key rotation feature is re-enabled.

Default keys

Pricing

Default keys are used only for server-side encryption in Alibaba Cloud services and are provided by KMS free of charge. Default key rotation is available as a value-added feature.

Fee: USD 9 per year-region. If you purchase the default key rotation feature in a region, you can rotate all default keys including service keys and customer master keys (CMKs) in the region.

Rotation method and rotation date

Default keys support only automatic rotation. Default keys do not support immediate rotation.

The rotation period is 365 days and cannot be changed. After you enable automatic rotation for a default key, the first rotation of the default key is 365 days after the default key is created. Subsequently, the default key is rotated every 365 days.

Note

You can purchase the default key rotation feature on an annual basis. Make sure that your order remains valid until the next rotation. Otherwise, no rotation is performed.

Operations related to key rotation

Enable automatic rotation

  1. Purchase the value-added plan of the default key rotation feature.

    1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.

    2. On the Default Key tab, click Purchase Value-added Plan. On the buy page that appears, configure the parameters and click Buy Now.

      1. Instance Type: Select Value-added Plan.

      2. Value-added Plan: Select Default Key Rotation.

      3. purchase quantity: Select 1. You need to purchase only one plan for a region.

    3. Read and select Terms of Service, and click Pay to complete the payment.

  2. Enable automatic rotation.

    1. Service key

      KMS automatically enables automatic rotation for service keys.

    2. CMK

      Method

      Description

      Use the KMS console

      1. On the Default Key tab of the Keys page, click the ID of the CMK.

      2. In the lower part of the details page, click the Key Version tab, and then click Configure Rotation.

      3. In the Configure Rotation Policy dialog box, turn on Rotation Status and click OK.

        On the details page of the key, Rotation Status changes to Enabled, and Rotation Period changes to 365day.

      Call API operations

      Call the UpdateRotationPolicy operation and configure EnableAutomaticRotation and RotationInterval. EnableAutomaticRotation specifies whether to enable automatic rotation. RotationInterval specifies the rotation period.

      Note

      You can set RotationInterval only to 365d. If you set RotationInterval to a different value, KMS returns a 400 error (Rejected.UnsupportedOperation).

View rotation details

Method

Description

Use the KMS console

  1. On the Default Key tab of the Keys page, find the service key or CMK that you want to view.

  2. Click the ID of the key. On the details page, view Rotation Status, Rotation Period, and Key Version.

Call API operations

Call the DescribeKey operation and configure AutomaticRotation and RotationInterval. AutomaticRotation specifies whether automatic rotation is enabled. RotationInterval specifies the rotation period.

Call the ListKeyVersions operation to view the value of KeyVersions.

Software-protected key

Quota

Key rotation consumes the key quota of a KMS instance. Each key version of a key consumes one key quota. For example, if a key has three key versions: V1, V2, and V3, three key quotas are consumed. For more information about how to increase the quota, see Manage KMS instances.

Rotation method and rotation date

Software-protected keys support automatic rotation and immediate rotation.

  • Automatic rotation: You can specify a rotation period from 7 to 365 days to periodically generate new key versions.

  • Immediate rotation: A new key version is immediately generated.

Perform cryptographic operations

To perform server-side encryption in Alibaba Cloud services, you need to only specify a key. You do not need to manually integrate an SDK to perform cryptographic operations. To perform data encryption in self-managed applications, call the following API operations:

  • AdvanceGenerateDataKey: generates a data key. KMS uses the primary version of a key to encrypt the data key.

  • AdvanceEncrypt: encrypts data. KMS uses the primary version of a key to encrypt plaintext.

  • AdvanceDecrypt: decrypts ciphertext. KMS uses a key version to decrypt ciphertext. The key version must be the same as the one that is used to generate the ciphertext.

Important

If automatic rotation is enabled for a key, do not call the Encrypt, Decrypt, or GenerateDataKey operation. The preceding operations use the initial version of the key and do not use the new key versions that are generated after rotation.

Operations related to key rotation

Enable automatic rotation

Method

Description

Use the KMS console

  • Enable automatic rotation when you create a key. For more information, see Manage a key.

    1. On the Keys tab of the Keys page, select the required instance ID and click Create Key.

    2. In the Create Key panel, configure the parameters and click OK.

  • Enable automatic rotation after you create a key.

    1. On the Keys tab of the Keys page, select the required instance ID and click the ID of the key that you want to manage.

    2. On the details page of the key, click Configure Rotation. In the Configure Rotation Policy dialog box, turn on Automatic Rotation, specify a rotation period, and then click OK.

Call API operations

  • Enable automatic rotation when you create a key

    Call the CreateKey operation and configure EnableAutomaticRotation and RotationInterval. EnableAutomaticRotation specifies whether to enable automatic rotation. RotationInterval specifies the rotation period.

  • Enable automatic rotation after you create a key

    Call the UpdateRotationPolicy operation and configure EnableAutomaticRotation and RotationInterval. EnableAutomaticRotation specifies whether to enable automatic rotation. RotationInterval specifies the rotation period.

Immediately rotate a key

Method

Description

Use the KMS console

  1. On the Keys tab of the Keys page, select the required instance ID and click the ID of the key that you want to manage.

  2. On the details page of the key, click Configure Rotation. In the dialog box that appears, select Rotate Now for Automatic Rotation and click OK.

Call API operations

Call the CreateKeyVersion operation.

View rotation details

Method

Description

Use the KMS console

  1. On the Keys tab of the Keys page, select the required instance ID and click the ID of the key that you want to manage.

  2. On the details page, view Rotation Status, Rotation Period, and Key Version.

Call API operations

Call the DescribeKey operation and configure AutomaticRotation and RotationInterval. AutomaticRotation specifies whether automatic rotation is enabled. RotationInterval specifies the rotation period.

Call the ListKeyVersions operation to view the value of KeyVersions.