Key Rotation

There are three types of keys in KMS that can be rotated:

• user operational keys

• primary key for the user’s key store

• primary key for the server’s key store

User operational keys

A user operation key can be rotated by making a request

POST /v1/keystores/{keystore}/keys/{key}/rotate.

It will return a new URL for the rotated key.

When the key is rotated, a new key material is added, but old ones are not deleted. New key material is used to encrypt new data. To decrypt data at first the new key material is used. If decryption fails, old key material is used. This allows decrypting data that were encrypted before rotation.

Key material - cryptographic data used for encrypt/decrypt operations. Key - set of key material ordered by date, from the newest to oldest.

Key rotation is implemented using LocalKMS.Rotate from aries-framework-go.

User key store primary key

Not implemented yet.

Server key store primary key

The server key store uses AWS KMS to protect keys. AWS KMS supports automatic key rotations.