# Rotate a KMS Key


Rotating your KMS keys regularly is a cryptographic best practice. It limits the volume of data protected by a single piece of key material, reducing the potential blast radius of a compromised key without disrupting your active workflows.

When you rotate a key, Exoscale KMS generates a fresh, versioned layer of key material while preserving the key's historical key material.

---

## How Key Rotation Works

Exoscale KMS handles key rotation through a versioning system, ensuring continuous availability for both new and legacy data.

* **Encryption & Wrapping:** The newly generated version resulting from a rotation instantly becomes the active key material version. All subsequent requests to encrypt data or wrap Data Encryption Keys (DEKs) will automatically use this new version.
* **Decryption & Unwrapping:** Legacy key versions are never discarded during a rotation. They are preserved in the key material history and remain authorized *exclusively* for decrypting existing ciphertext.

> [!NOTE]
> Thanks to **Envelope Encryption**, rotating a KMS key does *not* require you to download and re-encrypt your actual storage objects or compute volumes. Your data remains safely encrypted locally by its unique DEK; only the lightweight DEK itself remains cryptographically tied to the older KMS key version.

---

## Managing Rotation Across Key Types

### Customer-Managed Keys
For your additional KMS keys you create and control, you have full governance over how and when rotation occurs:

* **Automatic Rotation**: This is enabled by default with a period of `[365 days]`, but it can be disabled at any time.
* **Changing the Rotation Period**: The rotation frequency cannot be modified directly while active. To update the period, you must first disable automatic rotation, and then re-enable it while specifying your new desired timeframe.
* **Multi-Zone Propagation**: For keys configured as multi-zone, you must trigger or configure rotation exclusively on the **Primary Key**. The newly generated key material and history will automatically propagate to all regional **Replica Keys**.

> [!NOTE]
> **Manual Rotations:** If you suspect a key compromise or need to force an immediate key update outside of your automated schedule, you can perform up to **10 manual rotations** per customer-managed KMS key.

### The Default Organization Key
The Default Organization Key features a fully platform-managed rotation schedule to guarantee out-of-the-box baseline security. 
* You **cannot** manually trigger a rotation for this key.
* You **cannot** modify or disable its automated rotation schedule.
