Key Management Service (KMS) provides the key rotation feature. You can rotate keys on a regular basis to enhance the security of keys and improve the security of business data. This topic describes how key rotation works and how to configure key rotation in KMS.
Benefits of key rotation
Reduces the amount of data that is encrypted by using each key, which mitigates the risks of cryptanalysis attacks
The security of a key is inversely proportional to the amount of data that is encrypted by using the key. In most cases, the amount refers to the total number of bytes that are encrypted by using a key. Automatic rotation reduces the attack surface of each key and improves the security of key-based encryption solutions.
Helps you handle security events
The key rotation feature is designed to help you handle security events.
Reduces the time window during which keys can be cracked
After key rotation is enabled, the data that is encrypted by using an existing key can be encrypted by using a new key. The interval of key rotation is considered the time window during which a key can be cracked. An attacker can gain data access only if the attacker cracks a key in an interval between two rotation operations of the key. This greatly increases the security of data against cryptanalytic attacks.
Meets the requirements of regulatory compliance
Automatic key rotation facilitates compliance with various regulations, including but not limited to the following regulations:
Payment Card Industry Data Security Standard (PCI DSS)
Cryptography-related industrial standards issued by State Cryptography Administration, such as GM/T 0051-2016 Cryptography device management - Specifications of symmetric key management technology
Cryptography-related standards issued by the National Institute of Standards and Technology (NIST), such as NIST Special Publication 800-57 Recommendation for Key Management
How key rotation works
KMS supports multiple versions of keys. Different versions of a key are cryptographically unrelated. During key rotation, KMS generates a new key version and uses the latest key version for cryptographic operations. You cannot specify a key version.
Key rotation only adds key versions. Key rotation does not change the attributes of a key, such as the ID, Alibaba Cloud Resource Name (ARN), and alias.
KMS does not delete key versions. The key versions of key are deleted only when the key is deleted.
After a key is created, KMS generates an initial key version and sets the initial key version to the primary version. After the key is rotated, KMS generates a new key version and sets the new key version to the primary version.
If automatic rotation is configured, the next rotation time is calculated by using the following formula: Next rotation time = Last rotation time + Rotation period.
To view the next rotation time and last rotation time, call the DescribeKey operation. In the response,
LastRotationDate
indicates the last rotation time, andNextRotationDate
indicates the next rotation time, which is calculated by KMS.If automatic rotation is configured and an immediate rotation operation is performed between two rotation operations, the last rotation time is the time of the immediate rotation.
Keys that support automatic rotation
Symmetric keys in KMS instances of the software key management type and default keys support automatic rotation.
Keys whose key material is generated by KMS support automatic rotation. Keys that use your own key material do not support automatic rotation.
Keys in the Enabled state support automatic rotation. If a key is in the Disabled or Pending Deletion state, KMS suspends the key rotation feature that is enabled. If the key is re-enabled, the key rotation feature is re-enabled.
Default keys
Pricing
Default keys are used only for server-side encryption in Alibaba Cloud services and are provided by KMS free of charge. Default key rotation is available as a value-added feature.
Fee: USD 9 per year-region. If you purchase the default key rotation feature in a region, you can rotate all default keys including service keys and customer master keys (CMKs) in the region.
Rotation method and rotation date
Default keys support only automatic rotation. Default keys do not support immediate rotation.
The rotation period is 365 days and cannot be changed. After you enable automatic rotation for a default key, the first rotation of the default key is 365 days after the default key is created. Subsequently, the default key is rotated every 365 days.
You can purchase the default key rotation feature on an annual basis. Make sure that your order remains valid until the next rotation. Otherwise, no rotation is performed.
Operations related to key rotation
Enable automatic rotation
Purchase the value-added plan of the default key rotation feature.
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Keys.
On the Default Key tab, click Purchase Value-added Plan. On the buy page that appears, configure the parameters and click Buy Now.
Instance Type: Select Value-added Plan.
Value-added Plan: Select Default Key Rotation.
purchase quantity: Select 1. You need to purchase only one plan for a region.
Read and select Terms of Service, and click Pay to complete the payment.
Enable automatic rotation.
Service key
KMS automatically enables automatic rotation for service keys.
CMK
Method
Description
Use the KMS console
On the Default Key tab of the Keys page, click the ID of the CMK.
In the lower part of the details page, click the Key Version tab, and then click Configure Rotation.
In the Configure Rotation Policy dialog box, turn on Rotation Status and click OK.
On the details page of the key, Rotation Status changes to Enabled, and Rotation Period changes to 365day.
Call API operations
Call the UpdateRotationPolicy operation and configure EnableAutomaticRotation and RotationInterval. EnableAutomaticRotation specifies whether to enable automatic rotation. RotationInterval specifies the rotation period.
NoteYou can set RotationInterval only to 365d. If you set RotationInterval to a different value, KMS returns a 400 error (Rejected.UnsupportedOperation).
View rotation details
Method | Description |
Use the KMS console |
|
Call API operations | Call the DescribeKey operation and configure AutomaticRotation and RotationInterval. AutomaticRotation specifies whether automatic rotation is enabled. RotationInterval specifies the rotation period. Call the ListKeyVersions operation to view the value of KeyVersions. |
Software-protected key
Quota
Key rotation consumes the key quota of a KMS instance. Each key version of a key consumes one key quota. For example, if a key has three key versions: V1, V2, and V3, three key quotas are consumed. For more information about how to increase the quota, see Manage KMS instances.
Rotation method and rotation date
Software-protected keys support automatic rotation and immediate rotation.
Automatic rotation: You can specify a rotation period from 7 to 365 days to periodically generate new key versions.
Immediate rotation: A new key version is immediately generated.
Perform cryptographic operations
To perform server-side encryption in Alibaba Cloud services, you need to only specify a key. You do not need to manually integrate an SDK to perform cryptographic operations. To perform data encryption in self-managed applications, call the following API operations:
AdvanceGenerateDataKey: generates a data key. KMS uses the primary version of a key to encrypt the data key.
AdvanceEncrypt: encrypts data. KMS uses the primary version of a key to encrypt plaintext.
AdvanceDecrypt: decrypts ciphertext. KMS uses a key version to decrypt ciphertext. The key version must be the same as the one that is used to generate the ciphertext.
If automatic rotation is enabled for a key, do not call the Encrypt, Decrypt, or GenerateDataKey operation. The preceding operations use the initial version of the key and do not use the new key versions that are generated after rotation.
Operations related to key rotation
Enable automatic rotation
Method | Description |
Use the KMS console |
|
Call API operations |
|
Immediately rotate a key
Method | Description |
Use the KMS console |
|
Call API operations | Call the CreateKeyVersion operation. |
View rotation details
Method | Description |
Use the KMS console |
|
Call API operations | Call the DescribeKey operation and configure AutomaticRotation and RotationInterval. AutomaticRotation specifies whether automatic rotation is enabled. RotationInterval specifies the rotation period. Call the ListKeyVersions operation to view the value of KeyVersions. |