_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Key Rotation — Rotating Cryptographic Keys

09. 03. 2024 1 min read intermediate

A key without rotation = a compromised key is valid forever. Regular rotation limits the impact of a potential leak.

Why Rotate

  • Limiting exposure time in case of compromise
  • Compliance requirements (PCI DSS: annually)
  • Reducing the amount of data encrypted with a single key
  • Departure of employees with access

AWS KMS Automatic Rotation

Key Rotation — Rotating Cryptographic Keys

resource “aws_kms_key” “main” { enable_key_rotation = true # Rotation every year }

Manual rotation

aws kms create-key –description “new-key”

Re-encrypt data with the new key

Envelope Encryption

Data is encrypted with a Data Encryption Key (DEK). The DEK is encrypted with a Key Encryption Key (KEK) in KMS. You rotate the KEK — re-wrap the DEK, not re-encrypt all data.

Key Takeaway

Automatic rotation via KMS. Envelope encryption for efficient rotation. Maintain a grace period for old keys.

securitykey rotationkmsencryption
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

Encryption at Rest — Encrypting Stored Data

How to encrypt data on disk. AES-256, LUKS, cloud KMS, database encryption.

Encryption in Transit — Encrypting Data in Motion

TLS, mTLS, VPN, WireGuard. Protecting data in transit.

Integrating Java applications with Active Directory

User authentication and authorization in Java EE via LDAP/Active Directory. JNDI, Spring Security.