Rotating managed keys manually

You can rotate your managed keys on demand by using Hyper Protect Crypto Services with Unified Key Orchestrator.

To learn how managed key rotation works, see Managed key rotation.

Rotating managed keys with the UI

If you prefer to rotate your managed keys by using a graphical interface, you can use the UI.

Complete the following steps to rotate a key:

Log in to the UI.
Go to Menu > Resource list to view a list of your resources.
From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services with Unified Key Orchestrator.
Click Managed keys from the navigation to view all the available keys.
Select the key that you want to rotate and click the Actions icon to open a list of options for the key.
Click Rotate from the options menu. Alternatively, you can click Show details from the options menu and then click Rotate on the key details page.
Click Rotate key to confirm.

Rotating managed keys with the API

To rotate a managed key through the API, follow these steps:

Retrieve your service and authentication credentials to work with keys in the service.

Rotate a managed key by making a POST call based on the following example:

curl --location --request POST 'https://uko.<region>.hs-crypto.cloud.ibm.com:<port>/api/v4/managed_keys/<id>/rotate' \
--header 'Authorization: Bearer <IAM_token>' \
--header 'Accept: application/json' \
--header 'UKO-Vault: <vault_id>' \
--header 'If-Match: <ETag>'

Replace the variables in the example request according to the following table.

Table 1. Variables needed to rotate a managed key
Variable	Description
`region`	Required. The prefix that represents the geographic area where your service instance resides. For more information, see Regions and locations.
`port`	Required. The port number of the API endpoint.
`id`	Required. The unique identifier for the managed key that you want to rotate.
`IAM_token`	Required. Your IBM Cloud IAM access token that you retrieve in step 1. Include the full contents of the `IAM` token, including the Bearer value.
`vault_id`	Required. The Universally Unique Identifier (UUID) of the vault that your manage key is assigned to.
`ETag`	Required. The precondition of the update, which is the value of ETag from the header on a GET request.

For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

A successful rotation request returns an HTTP 204 No Content response, which indicates that your managed key is replaced by the new key material.

What's next

To confirm whether the key rotation is successfully proceeded, you can view managed key versions.
After you rotate a managed key, new cryptographic key material becomes available for encryption. To learn how to rewrap data by using the latest key material, see Rewrapping data after rotating a managed key.
To find out more about programmatically managing your keys, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.