Rotate a KMS Key
Rotating your KMS keys regularly is a cryptographic best practice. It limits the volume of data protected by a single piece of key material, reducing the potential blast radius of a compromised key without disrupting your active workflows.
When you rotate a key, Exoscale KMS generates a fresh, versioned layer of key material while preserving the key’s historical key material.
How Key Rotation Works
Exoscale KMS handles key rotation through a versioning system, ensuring continuous availability for both new and legacy data.
- Encryption & Wrapping: The newly generated version resulting from a rotation instantly becomes the active key material version. All subsequent requests to encrypt data or wrap Data Encryption Keys (DEKs) will automatically use this new version.
- Decryption & Unwrapping: Legacy key versions are never discarded during a rotation. They are preserved in the key material history and remain authorized exclusively for decrypting existing ciphertext.
Note
Thanks to Envelope Encryption, rotating a KMS key does not require you to download and re-encrypt your actual storage objects or compute volumes. Your data remains safely encrypted locally by its unique DEK; only the lightweight DEK itself remains cryptographically tied to the older KMS key version.
Managing Rotation Across Key Types
Customer-Managed Keys
For your additional KMS keys you create and control, you have full governance over how and when rotation occurs:
- Automatic Rotation: This is enabled by default with a period of
[365 days], but it can be disabled at any time. - Changing the Rotation Period: The rotation frequency cannot be modified directly while active. To update the period, you must first disable automatic rotation, and then re-enable it while specifying your new desired timeframe.
- Multi-Zone Propagation: For keys configured as multi-zone, you must trigger or configure rotation exclusively on the Primary Key. The newly generated key material and history will automatically propagate to all regional Replica Keys.
Note
Manual Rotations: If you suspect a key compromise or need to force an immediate key update outside of your automated schedule, you can perform up to 10 manual rotations per customer-managed KMS key.
The Default Organization Key
The Default Organization Key features a fully platform-managed rotation schedule to guarantee out-of-the-box baseline security.
- You cannot manually trigger a rotation for this key.
- You cannot modify or disable its automated rotation schedule.