copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2024-07-01 |
rotate, rotate root key, automatic key rotation, set rotation policy, policy based key rotation |
hs-crypto |
{{site.data.keyword.attribute-definition-list}}
{: #set-rotation-policy}
You can set an automatic rotation policy for a root key by using {{site.data.keyword.cloud}} {{site.data.keyword.hscrypto}}. {: shortdesc}
When you set an automatic rotation policy for a root key, you shorten the lifetime of the key at regular intervals, and you limit the amount of information that is protected by that key.
You can create a rotation policy only for root keys that are generated in {{site.data.keyword.hscrypto}}. If you imported the root key initially, you must provide new base64 encoded key material to rotate the key. For more information, see Rotating root keys on demand. {: note}
Want to learn more about your key rotation options in {{site.data.keyword.hscrypto}}? Check out Comparing your key rotation options for more information. {: tip}
{: #manage-policies-gui} {: ui}
If you prefer to manage policies for your root keys by using a graphical interface, you can use the UI.
-
Log in to the UI{: external}.
-
Go to Menu > Resource list to view a list of your resources.
-
From your {{site.data.keyword.cloud_notm}} resource list, select your provisioned instance of {{site.data.keyword.hscrypto}}.
-
On the KMS keys page, use the Keys table to browse the keys in your service.
-
Click the Actions icon to open a list of options for a specific key.
-
From the options menu, click Edit key rotation policy to manage the rotation policy for the key.
-
Switch the Key rotation to On and move the slider to select a frequency of rotation in months.
If your key has an existing rotation policy, the interface displays the key's existing rotation period.
-
Click Save policy to set the policy for the key.
When it's time to rotate the key based on the rotation interval that you specify, {{site.data.keyword.hscrypto}} automatically replaces the root key with new key material.
{: #manage-rotation-policies-api} {: api}
{: #view-rotation-policy-api}
For a high-level view, you can browse the rotation policies that are associated with a root key by making a GET
call to the following endpoint.
https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies
{: codeblock}
-
Retrieve the rotation policy for a specified key by running the following cURL command.
curl -X GET \ https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \ -H 'content-type: application/vnd.ibm.kms.policy+json'
{: codeblock}
Replace the variables in the example request according to the following table.
Variable Description region
Required. The region abbreviation, such as us-south
oreu-de
, that represents the geographic area where your {{site.data.keyword.hscrypto}} service instance resides. For more information, see Regional service endpoints.port
Required. The port number of the API endpoint. key_ID
Required. The unique identifier for the root key that has an existing rotation policy. IAM_token
Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAM
token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID
Required. The unique identifier that is assigned to your {{site.data.keyword.hscrypto}} service instance. For more information, see Retrieving an instance ID. correlation_ID
The unique identifier that is used to track and correlate transactions. {: caption="Table 1. Describes the variables needed to create a rotation policy with the API" caption-side="bottom"} A successful
GET api/v2/keys/{id}/policies
response returns policy details that are associated with your key. The following JSON object shows an example response for a root key that has an existing rotation policy.{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.policy+json" }, "resources": [ { "id": "a1769941-9805-4593-b6e6-290e42dd1cb5", "rotation": { "interval_month": 1 }, "createdby": "IBMid-503CKNRHR7", "createdat": "2019-03-06T16:31:05Z", "updatedby": "IBMid-503CKNRHR7", "updatedat": "2019-03-06T16:31:05Z" } ] }
{: screen}
The
interval_month
value indicates the key rotation frequency in months.
{: #create-rotation-policy-api}
Create a rotation policy for your root key by making a PUT
call to the following endpoint.
https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies
{: codeblock}
-
Create a rotation policy for a specified key by running the following cURL command.
curl -X PUT \ https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \ -H 'content-type: application/vnd.ibm.kms.policy+json' \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "rotation": { "interval_month": <rotation_interval> } } ] }'
{: codeblock}
Replace the variables in the example request according to the following table.
Variable Description region
Required. The region abbreviation, such as us-south
oreu-de
, that represents the geographic area where your {{site.data.keyword.hscrypto}} service instance resides. For more information, see Regional service endpoints.port
Required. The port number of the API endpoint. key_ID
Required. The unique identifier for the root key that you want to create a rotation policy for. IAM_token
Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAM
token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID
Required. The unique identifier that is assigned to your {{site.data.keyword.hscrypto}} service instance. For more information, see Retrieving an instance ID. correlation_ID
The unique identifier that is used to track and correlate transactions. rotation_interval
Required. An integer value that determines the key rotation interval time in months. The minimum is 1
and the maximum is12
.{: caption="Table 2. Describes the variables needed to create a rotation policy with the API" caption-side="bottom"} A successful
PUT api/v2/keys/{id}/policies
response returns policy details that are associated with your key. The following JSON object shows an example response for a root key that has an existing rotation policy.{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.policy+json" }, "resources": [ { "id": "a1769941-9805-4593-b6e6-290e42dd1cb5", "rotation": { "interval_month": 1 }, "createdby": "IBMid-503CKNRHR7", "createdat": "2019-03-06T16:31:05Z", "updatedby": "IBMid-503CKNRHR7", "updatedat": "2019-03-06T16:31:05Z" } ] }
{: screen}
{: #update-rotation-policy-api}
Update an existing policy for a root key by making a PUT
call to the following endpoint.
https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies
{: codeblock}
-
Replace the rotation policy for a specified key by running the following cURL command.
curl -X PUT \ https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \ -H 'content-type: application/vnd.ibm.kms.policy+json' \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "rotation": { "interval_month": <new_rotation_interval> } } ] }'
{: codeblock}
Replace the variables in the example request according to the following table.
Variable Description region
Required. The region abbreviation, such as us-south
oreu-de
, that represents the geographic area where your {{site.data.keyword.hscrypto}} service instance resides. For more information, see Regional service endpoints.port
Required. The port number of the API endpoint. key_ID
Required. The unique identifier for the root key that you want to replace a rotation policy for. IAM_token
Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAM
token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID
Required. The unique identifier that is assigned to your {{site.data.keyword.hscrypto}} service instance. For more information, see Retrieving an instance ID. correlation_ID
The unique identifier that is used to track and correlate transactions. new_rotation_interval
Required. An integer value that determines the key rotation interval time in months. The minimum is 1
and the maximum is12
.{: caption="Table 3. Describes the variables needed to create a rotation policy with the API" caption-side="bottom"} A successful
PUT api/v2/keys/{id}/policies
response returns updated policy details that are associated with your key. The following JSON object shows an example response for a root key with an updated rotation policy.{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.policy+json" }, "resources": [ { "id": "a1769941-9805-4593-b6e6-290e42dd1cb5", "rotation": { "interval_month": 2 }, "createdby": "IBMid-503CKNRHR7", "createdat": "2019-03-06T16:31:05Z", "updatedby": "IBMid-820DPWINC2", "updatedat": "2019-03-10T12:24:22Z" } ] }
{: screen}
The
interval_month
andupdatedat
values are updated in the policy details for the key. If a different user updates a policy for a key that you created initially, theupdatedby
value also changes to show the identifier for the person who sent the request.
{: #set-rotation-policy-next}
- After you set a rotation policy and you root key is rotated, new cryptographic key material becomes available for protecting the data encryption keys (DEKs) that are associated with the root key. Learn how to reencrypt or rewrap your DEKS without exposing the keys in their plain text form, see Rewrapping keys.
- To learn how envelope encryption helps you control the security of at-rest data in the cloud, see Protecting data with envelope encryption.
- To find out more about programmatically managing your keys, check out the {{site.data.keyword.hscrypto}} key management service API reference doc{: external}.