Managed key rotation - Unified Key Orchestrator Plan
You can manually rotate managed keys in your IBM Cloud® Hyper Protect Crypto Services with Unified Key Orchestrator instance on demand. Key rotation takes place when you retire the original key material and generate a new cryptographic key material for the root key.
Rotating keys regularly helps you meet industry standards and cryptographic best practices. The following table describes the main benefits of key rotation:
| Benefit | Description |
|---|---|
| Cryptoperiod management for keys | Key rotation limits how long your information is protected by a single key. By rotating your managed keys at regular intervals, you also shorten the cryptoperiod of the keys. The longer the lifetime of an encryption key, the higher the probability for a security breach. |
| Incident mitigation | If your organization detects a security issue, you can immediately rotate the key to mitigate or reduce costs that are associated with key compromise. |
Key rotation is treated in the NIST Special Publication 800-57, Recommendation for Key Management. To learn more, see NIST SP 800-57 Pt. 1 Rev. 5
Note that key rotation might charge extra fees depending on the type of your managed key. For the pricing details, refer to the following links:
- AWS Key Management Service keys: AWS Key Management Service Pricing
- Azure Key Vault keys: Azure Key Vault pricing
- Google Cloud KMS keys: Google Cloud Key Management Service Pricing.
- IBM Cloud KMS keys: No extra fees. For more information, see Hyper Protect Crypto Services with Unified Key Orchestrator pricing.
- IBM Key Protect keys: No extra fees. For more information, see Key Protect pricing.
How managed key rotation works
When you rotate a managed key, new key material is automatically generated and replaces the previous key material. It moves into the Active state and becomes available for cryptographic operations. When you use the managed key to perform encryption, Hyper Protect Crypto Services with Unified Key Orchestrator uses only the latest key material. Key rotation changes the key material. The key ID can also change, depending on the keystore type.
The following diagram shows a contextual view of the key rotation functionality.
Depending on the key type, managed keys in certain states are not eligible for key rotation. Before you rotate a managed key, make sure to check the following table. The Checkmark icon 
indicates that the managed key in this state is eligible for rotation. For more information about the different key states, see Monitoring the lifecycle of encryption keys in Unified Key Orchestrator.
| Key type | Pre-active | Active | Deactivated | Destroyed |
|---|---|---|---|---|
| AWS Key Management Service keys | N/A | |
|
N/A |
| Azure Key Vault keys | N/A | |
|
N/A |
| Google Cloud KMS keys | N/A | |
|
N/A |
| IBM Cloud KMS keys | N/A | |
N/A | N/A |
| IBM Key Protect keys | N/A | |
N/A | N/A |
What happens to the previous key versions?
After key rotation, the service retains the previous key versions and materials until the managed key is deleted, but you can no longer edit these key materials and the key state might change. The following table lists the detailed changes and the corresponding actions that are available for previous key versions.
| Key type | Key state changes | Available for encryption | Available for decryption | Description |
|---|---|---|---|---|
| AWS Key Management Service keys | Remain the same. | |
|
For more information, see Rotating AWS KMS keys. |
| Azure Key Vault keys | Remain the same. | |
|
For more information, see Configure cryptographic key auto-rotation in Azure Key Vault |
| Google Cloud KMS keys - Other key types except AES keys | Remain the same. | |
|
For more information, see Key rotation and Rotating keys. |
| Google Cloud KMS keys - AES keys | Automatically move to Deactivated state. | N/A | |
For more information, see Key rotation and Rotating keys. |
| IBM Cloud KMS keys | Automatically move to Deactivated state. | N/A | |
The previous key material can no longer be used for encryption, but it remains available for unwrap operations. When you use the rotated manage key to decrypt data, the service uses the same version of the key material that was used for encryption, and then rewraps data by using the latest key material. |
| IBM Key Protect keys | Automatically move to Deactivated state. | N/A | |
The previous key material can no longer be used for encryption, but it remains available for unwrap operations. When you use the rotated manage key to decrypt data, the service uses the same version of the key material that was used for encryption before, and then rewraps data by using the latest key material. For more information, see Rotating your keys. |
How often should keys be rotated?
The best practice is to rotate your manage keys regularly. Unified Key Orchestrator allows no more than one key rotation per hour for each key.
Rewrapping data after rotating a managed key
After a managed key rotation is complete, new key material becomes available for cryptographic operations. To ensure that your data is protected by the latest version of a managed key, rewrap your data after you rotate a managed key. Depending on your key type, refer to the following table for corresponding instructions.
| Key type | Instructions for rewrapping data |
|---|---|
| AWS Key Management Service keys | Rewrapping data with AWS Key Management Service. |
| Azure Key Vault keys | Azure key vault documentation. |
| Google Cloud KMS keys | Rewrapping data with Google Cloud KMS. |
| IBM Cloud KMS keys | Rewrapping data with IBM Cloud Hyper Protect Crypto Services. |
| IBM Key Protect keys | Rewrapping data with IBM Key Protect. |
What's next
- For more information about how to manually rotate a managed key, see Rotating managed keys.
- For more information about how to edit managed keys, see Editing key details.