Oracle Cloud Infrastructure Documentation

Rotating a Vault Key

Learn how to rotate a key by creating a new key version.

When you create a new key version of a master encryption key, the KMS service rotates the key version in use for the key. The service can generate the key material for the new key version, or you can import your own key material. When importing a key you must use a wrapping key to wrap the key material. However, you can't create, delete or rotate a wrapping key. For more information about key rotation, see Key Versions & Rotations in the the Key and Secret Management Concepts topic.

Automatic Key Rotation

For keys created in virtual private vaults, you can enable automatic key rotation. See the Automatic Key Rotation section of the Key and Secret Management Concepts topic for details. This option can be enabled during key creation, or enabled after a key is created. See Enabling and Updating Auto Key Rotation for instructions on updating auto-rotation settings, and Creating a Master Encryption Key for instructions on creating a new key with automatic rotation enabled.

    1. Open the navigation menu, select Identity & Security, and then select Vault.
    2. Under List scope, select a compartment that contains the vault that contains the key that you want to update.
    3. On the Vaults page, click the name of the vault to open its details page.
    4. Under List scope, select a compartment that contains the key that you want to update.
    5. Under Resources, click Master Encryption Key.
    6. In the key summary table, click Actions menu (Actions Menu) and then select Rotate key.
    7. In the Confirm dialog box, select Import External key version check box to import the key materials and key versions and allow Key Management Service to use a copy of it.
    8. Click Rotate Key.
      Note

      Cryptographic operations involving objects that were encrypted with the previous version of this key continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer

  • Open a command prompt and run oci kms management key-version create to rotate a key

    oci kms management key-version create --key-id <target_key_id> --endpoint <vault_specific_management_endpoint_url

    For example:

    
oci kms management key-version create --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

    Cryptographic operations involving objects that were encrypted with the previous version of this key will continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer.

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Run the CreateKeyVersion operation to rotate a specific master encryption key using the KMSMANAGMENT endpoint.

    Note

    Each region uses the KMSMANAGMENT endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or vault management endpoint. Each region also has a unique endpoint for operations related to retrieving vault details. This endpoint is known as the data plane URL or the secret retrieval endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.