Rotating a Vault Key

Rotate a master encryption key.

When you rotate a key, the KMS service generates a new key version. The service can generate the key material for the new key version, or you can import your own key material. When importing a key you must use a wrapping key to wrap the key material. However, you can't create, delete or rotate a wrapping key. For more information about key rotation, see Overview of Vault.

    1. Open the navigation menu, click Identity & Security, and then click Vault.
    2. Under List scope, select a compartment that contains the vault that contains the key that you want to update.
    3. On the Vaults page, click the name of the vault to open its details page.
    4. Under List scope, select a compartment that contains the key that you want to update.
    5. Under Resources, click Master Encryption Key.
    6. In the key summary table, click Actions menu (Actions Menu) and then select Rotate key.
    7. In the Confirm dialog box, select Import External key version check box to import the key materials and key versions and allow Key Management Service to use a copy of it.
    8. Click Rotate Key.
      Note

      Cryptographic operations involving objects that were encrypted with the previous version of this key continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer
  • Open a command prompt and run oci kms management key rotate to rotate a key

    oci kms management key rotate --key-id <target_key_id> --endpoint <vault_specific_management_endpoint_url

    For example:

    
    oci kms management key rotate --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com

    Cryptographic operations involving objects that were encrypted with the previous version of this key will continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer.

    For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.

  • Run the KeyVersion operation to get information about a specific master encryption key using the KMSMANAGMENT endpoint.

    Note

    Each region uses the KMSMANAGMENT endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or vault management endpoint. Each region also has a unique endpoint for operations related to retrieving vault details. This endpoint is known as the data plane URL or the secret retrieval endpoint. For regional endpoints, see the API Documentation.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.