Skip to content

Rotate a KMS Key

Rotating your KMS keys regularly is a cryptographic best practice. It limits the volume of data protected by a single piece of key material, reducing the potential blast radius of a compromised key without disrupting your active workflows.

When you rotate a key, Exoscale KMS generates a fresh, versioned layer of key material while preserving the key’s historical key material.


How Key Rotation Works

Exoscale KMS handles key rotation through a versioning system, ensuring continuous availability for both new and legacy data.

  • Encryption & Wrapping: The newly generated version resulting from a rotation instantly becomes the active key material version. All subsequent requests to encrypt data or wrap Data Encryption Keys (DEKs) will automatically use this new version.
  • Decryption & Unwrapping: Legacy key versions are never discarded during a rotation. They are preserved in the key material history and remain authorized exclusively for decrypting existing ciphertext.

Note

Thanks to Envelope Encryption, rotating a KMS key does not require you to download and re-encrypt your actual storage objects or compute volumes. Your data remains safely encrypted locally by its unique DEK; only the lightweight DEK itself remains cryptographically tied to the older KMS key version.


Managing Rotation Across Key Types

Customer-Managed Keys

For your additional KMS keys you create and control, you have full governance over how and when rotation occurs:

  • Automatic Rotation: This is enabled by default with a period of [365 days], but it can be disabled at any time.
  • Changing the Rotation Period: The rotation frequency cannot be modified directly while active. To update the period, you must first disable automatic rotation, and then re-enable it while specifying your new desired timeframe.
  • Multi-Zone Propagation: For keys configured as multi-zone, you must trigger or configure rotation exclusively on the Primary Key. The newly generated key material and history will automatically propagate to all regional Replica Keys.

Note

Manual Rotations: If you suspect a key compromise or need to force an immediate key update outside of your automated schedule, you can perform up to 10 manual rotations per customer-managed KMS key.

The Default Organization Key

The Default Organization Key features a fully platform-managed rotation schedule to guarantee out-of-the-box baseline security.

  • You cannot manually trigger a rotation for this key.
  • You cannot modify or disable its automated rotation schedule.
Last updated on