Oracle Cloud Infrastructure Documentation

Rotating a Key

Learn how to rotate a key by creating a new key version.

When you create a new key version of a master encryption key, the KMS service rotates the key version in use for the key. The service can generate the key material for the new key version, or you can import your own key material. When importing a key you must use a wrapping key to wrap the key material. However, you can't create, delete or rotate a wrapping key. For more information about key rotation, see Key Versions & Rotations in the the Key and Secret Management Concepts topic.

Automatic Key Rotation

For keys created in virtual private vaults, you can enable automatic key rotation. See the Automatic Key Rotation section of the Key and Secret Management Concepts topic for details. This option can be enabled during key creation, or enabled after a key is created. See Enabling and Updating Auto Key Rotation for instructions on updating auto-rotation settings, and Creating a Master Encryption Key for instructions on creating a new key with automatic rotation enabled.

    1. Open the navigation menu , select Identity & Security, and then select Vault.
    2. Under List scope, select a compartment that contains the vault that contains the key that you want to update.
    3. On the Vaults page, select the name of the vault to open its details page.
    4. Under List scope, select a compartment that contains the key that you want to update.
    5. Under Resources, select Master Encryption Key.
    6. In the key summary table, select Actions menu (Actions Menu) and then select Rotate key.
    7. In the Confirm dialog box, select Import External key version checkbox to import the key materials and key versions and allow Key Management Service to use a copy of it.
    8. Select Rotate Key.
      Note

      Cryptographic operations involving objects that were encrypted with the previous version of this key continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer

  • Open a command prompt and run oci kms management key-version create to rotate a key

    oci kms management key-version create --key-id <target_key_id> --endpoint <vault_specific_management_endpoint_url

    For example:

    
oci kms management key-version create --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

    Cryptographic operations involving objects that were encrypted with the previous version of this key will continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer.

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Use the CreateKeyVersion API with the Management Endpoint to rotate a master encryption key.

    Note

    The Management Endpoint is used for management operations including Create, Update, List, Get, and Delete. The Management Endpoint is also called the control plane URL or the KMSMANAGMENT endpoint.

    The Cryptographic Endpoint is used for cryptographic operations including Encrypt, Decrypt, Generate Data Encryption Key, Sign, and Verify. The Cryptographic Endpoint is also called the data plane URL or the KMSCRYPTO endpoint.

    You can find the management and cryptographic endpoints in a vault's details metadata. See Getting a Vault's Details for instructions.

    For regional endpoints for the Key Management, Secret Management, and Secret Retrieval APIs, see API Reference and Endpoints.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.