Automatic key rotation in OCI KMS Private Vault now generally available!

February 27, 2024 | 4 minute read
FREDERICK BOSCO
Product Manager
Text Size 100%:

In the realm of cybersecurity, keys are more than just access points. They're the guardians of your sensitive data. Imagine using the same lock and key for years. Though convenient, it becomes increasingly vulnerable to wear and tear, making it easier for someone to pick. The same goes for your encryption keys! Static keys can become vulnerable over time, which is where key rotation comes in, ensuring that Oracle Cloud Infrastructure (OCI) Key Management Service (KMS) stays ahead of potential threats.

Why rotate your keys?

Automatic key rotation helps reduce risk with the following features:

  • Limits the impact of a compromised key: The potential damage is contained to data encrypted with that specific key version. Newer data can’t be decrypted because it’s using a different key.
  • Helps address compliance requirements: Many regulations mandate key rotation at specific intervals. Automatic key rotation simplifies this issue and reduces audit burden.
  • Enhances overall security posture: Proactive key management demonstrates a commitment to data security, fostering trust with stakeholders.

OCI KMS previously supported on-demand, unscheduled key rotation. Now, we’re pleased to announce the general availability (GA) of automatic key rotation in OCI KMS Vault (Private Vault). You can schedule your automatic key rotation at specific intervals on any day you choose. We seamlessly manage the rotation in the background, scaling effortlessly as your application grows.

With a selection in the Oracle Cloud Console, you can activate this feature. Automatic key rotation is available to all private vault users across realms, regardless of key type (HSM or software) or encryption method (symmetric or asymmetric).

Key features

Automatic key rotation in OCI KMS Vault offers the following features and benefits:

  • Individual configuration: With automatic key rotation, you can configure rotation on a per-key basis within your private vault. This granularity allows you to tailor your rotation strategy to the specific needs of individual keys and applications.
  • Flexible scheduling: You set a start date and rotation interval between 60–365 days, with a default of 90 days, to match your specific requirements. The rotation happens approximately at the set interval, with subsequent rotations following the last successful rotation date. KMS ensures your rotation happens on or before the rotation interval to meet your compliance needs, even if it means starting the rotation a few days before the set interval.
  • Transparent updates: With key rotation in KMS, applications automatically use the new key version for encrypting new data as soon as it’s available. Older data remains encrypted with the previous key version until you explicitly choose to reencrypt it. This behavior remains consistent with the Automatic Key rotation feature.
  • Detailed auditing: You can track all rotations through detailed audit logs in the OCI Logging service. We have also integrated autorotation operations with the OCI Events service, so you can now subscribe and get notified about rotation events and their success or failure status. These real-time notifications keep you informed, allowing you to promptly address any issues and maintain a robust security posture.
  • Crossregion replication: If your private KMS vault is enabled for crossregion replication, automatic key rotation on the source automatically replicates the new key version to the destination region.
  • Backup and restore: The automatic key rotation intervals aren’t backed up. So, when you restore the key, you need to set the autorotation policies again.
  • Scheduled key deletion: When the keys are scheduled for deletion, autorotation is paused but not disabled. So, when you bring back the keys to an active state, your automatic rotation policy continues as it was originally set when the key was created.

Supported OCI services

Automatic key rotation in OCI KMS Vault (Private Vault) simplifies security for many OCI services, including Storage, Secrets, and Certificates. These services mandate key rotation with KMS APIs and benefit from scheduled key rotations. No extra work needed!

However, database cloud service, such as Exadata and Autonomous Database, have a different story. They require you to use separate database tools (and not KMS APIs) for key rotation, so they won't directly benefit because these tools aren’t yet integrated with this feature.

The Oracle Cloud Console experience

With OCI KMS, you get the following benefits in the Oracle Cloud Console:

  • Automatic key rotation in OCI KMS takes the hassle out of securing your data! Turning it on requires one selection when creating a new key. Already have keys? No problem! You can activate it later using the Edit option.
  • By default, your keys rotate every 90 days, but you can customize the interval to your needs. This rotation continues until you turn it off or schedule the key for deletion.
  • Want to stay on top of things? Easily view the next rotation date and the last successful rotation date for each key. Plus, if a rotation fails even after multiple attempts, our APIs and Console display the error and reschedule the rotation for later.
  • Have OCI Events integrated? It proactively notifies you of any errors, allowing you to manually rotate the key and maintain compliance.

Pricing and limits

Automatic key rotation is included at no extra cost with OCI KMS Vault (Private Vault). Your vault still has the same 3,000 key version limit. Each rotation consumes a portion of that limit: One key version is used for symmetric key rotations, and two key versions are used for asymmetric key rotations.

Next steps

Automatic key rotation empowers you to simplify key management, strengthen security, and effortlessly comply with regulations. Upgrade your security posture today! Read more about how the feature works in the technical documentation.

But the best way to learn about it is to give it a try! Visit our website to learn more about Oracle Cloud Infrastructure Security products and sign up for a Free Tier account and to take a closer look.

For more information, see the following resources:

FREDERICK BOSCO

Product Manager

I am the Product Manager for OCI Key Management service and OCI Secret Management service.


Previous Post

Effectively monitor the Oracle Cloud VMware Solution environment using Grafana

Dev Gawale | 8 min read

Next Post


AvaSure chooses Oracle Cloud to power its AI-enabled virtual care platform

Dan Spellman | 5 min read
Oracle Chatbot
Disconnected