Key Rotation is the process of periodic renewal of cryptographic keys to maintain security, reduce compromise risk, and comply with security best practices.

What is Key Rotation?

Key rotation is a security practice that consists of regularly replacing cryptographic keys used to encrypt and decrypt data, authenticate users, and protect communications.

Importance of Rotation

Risk Reduction

  • Limited Compromise: Limits impact of compromised keys
  • Exposure Window: Reduces exposure window
  • Attacks: Hinders brute force attacks
  • Security: Maintains long-term security

Regulatory Compliance

  • Standards: Compliance with security standards
  • Regulations: Regulatory compliance
  • Audits: Audit preparation
  • Certifications: Certification maintenance

Best Practices

  • Industry: Industry standards
  • Recommendations: Expert recommendations
  • Security: Robust security practices
  • Management: Proactive risk management

Rotation Types

Scheduled Rotation

  • Schedule: Rotation according to fixed schedule
  • Periodic: Regular rotation (daily, weekly, monthly)
  • Automatic: Automatic rotation
  • Predictable: Easy to plan

Event-Based Rotation

  • Compromise: Rotation after suspected compromise
  • Personnel: Rotation after personnel changes
  • System: Rotation after system changes
  • Emergency: Emergency rotation

Gradual Rotation

  • Transition: Gradual transition between keys
  • Coexistence: Temporary key coexistence
  • Migration: Gradual data migration
  • Compatibility: Compatibility maintenance

Rotation Strategies

Simple Rotation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

import datetime
import secrets
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization

class SimpleKeyRotation:
    def __init__(self, rotation_interval_days=90):
        self.rotation_interval = datetime.timedelta(days=rotation_interval_days)
        self.current_key = None
        self.key_history = []
        self.last_rotation = None
    
    def generate_new_key(self, key_size=2048):
        """Generate new key"""
        private_key = rsa.generate_private_key(
            public_exponent=65537,
            key_size=key_size
        )
        return private_key
    
    def should_rotate(self):
        """Check if key rotation is necessary"""
        if self.last_rotation is None:
            return True
        
        return datetime.datetime.now() - self.last_rotation > self.rotation_interval
    
    def rotate_key(self):
        """Rotate the key"""
        if not self.should_rotate():
            return False
        
        # Generate new key
        new_key = self.generate_new_key()
        
        # Save previous key in history
        if self.current_key is not None:
            self.key_history.append({
                'key': self.current_key,
                'created': self.last_rotation,
                'retired': datetime.datetime.now()
            })
        
        # Update current key
        self.current_key = new_key
        self.last_rotation = datetime.datetime.now()
        
        return True

# Usage example
key_rotation = SimpleKeyRotation(rotation_interval_days=30)
if key_rotation.should_rotate():
    key_rotation.rotate_key()

Rotation with Data Migration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

class DataMigrationKeyRotation:
    def __init__(self, encryption_service):
        self.encryption_service = encryption_service
        self.old_key = None
        self.new_key = None
        self.migration_status = "idle"
    
    def start_rotation(self):
        """Start rotation process"""
        # Generate new key
        self.new_key = self.generate_new_key()
        
        # Keep previous key
        self.old_key = self.encryption_service.get_current_key()
        
        # Change status
        self.migration_status = "migrating"
        
        return True
    
    def migrate_data(self, encrypted_data):
        """Migrate encrypted data"""
        if self.migration_status != "migrating":
            raise ValueError("Rotation not started")
        
        # Decrypt with old key
        decrypted_data = self.encryption_service.decrypt(
            encrypted_data, 
            self.old_key
        )
        
        # Encrypt with new key
        new_encrypted_data = self.encryption_service.encrypt(
            decrypted_data, 
            self.new_key
        )
        
        return new_encrypted_data
    
    def complete_rotation(self):
        """Complete rotation"""
        if self.migration_status != "migrating":
            raise ValueError("Migration not in progress")
        
        # Update encryption service
        self.encryption_service.set_current_key(self.new_key)
        
        # Clean old key
        self.old_key = None
        self.migration_status = "completed"
        
        return True

# Usage example
class EncryptionService:
    def __init__(self):
        self.current_key = None
    
    def get_current_key(self):
        return self.current_key
    
    def set_current_key(self, key):
        self.current_key = key
    
    def encrypt(self, data, key):
        # Implement encryption
        return f"encrypted_{data}"
    
    def decrypt(self, encrypted_data, key):
        # Implement decryption
        return encrypted_data.replace("encrypted_", "")

encryption_service = EncryptionService()
rotation = DataMigrationKeyRotation(encryption_service)

Rotation Automation

Automatic Rotation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

import schedule
import time
import logging
from datetime import datetime

class AutomatedKeyRotation:
    def __init__(self, key_manager, rotation_interval_hours=24):
        self.key_manager = key_manager
        self.rotation_interval = rotation_interval_hours
        self.logger = logging.getLogger(__name__)
    
    def setup_schedule(self):
        """Setup rotation schedule"""
        schedule.every(self.rotation_interval).hours.do(self.rotate_keys)
        self.logger.info(f"Rotation scheduled every {self.rotation_interval} hours")
    
    def rotate_keys(self):
        """Rotate keys automatically"""
        try:
            self.logger.info("Starting automatic key rotation")
            
            # Get keys that need rotation
            keys_to_rotate = self.key_manager.get_keys_for_rotation()
            
            for key_id in keys_to_rotate:
                self.key_manager.rotate_key(key_id)
                self.logger.info(f"Key {key_id} rotated successfully")
            
            self.logger.info("Automatic rotation completed")
            
        except Exception as e:
            self.logger.error(f"Error in automatic rotation: {e}")
    
    def start_scheduler(self):
        """Start scheduler"""
        self.setup_schedule()
        
        while True:
            schedule.run_pending()
            time.sleep(60)  # Check every minute

# Usage example
class KeyManager:
    def __init__(self):
        self.keys = {}
    
    def get_keys_for_rotation(self):
        """Get keys that need rotation"""
        keys_to_rotate = []
        for key_id, key_info in self.keys.items():
            if self.should_rotate_key(key_info):
                keys_to_rotate.append(key_id)
        return keys_to_rotate
    
    def should_rotate_key(self, key_info):
        """Check if a key needs rotation"""
        # Implement rotation logic
        return True
    
    def rotate_key(self, key_id):
        """Rotate a specific key"""
        # Implement key rotation
        pass

key_manager = KeyManager()
automated_rotation = AutomatedKeyRotation(key_manager)
# automated_rotation.start_scheduler()  # Run in separate thread

Event-Driven Rotation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

class EventDrivenKeyRotation:
    def __init__(self, key_manager):
        self.key_manager = key_manager
        self.event_handlers = {
            'key_compromise': self.handle_compromise,
            'personnel_change': self.handle_personnel_change,
            'system_change': self.handle_system_change,
            'emergency': self.handle_emergency
        }
    
    def handle_event(self, event_type, event_data):
        """Handle rotation event"""
        if event_type in self.event_handlers:
            self.event_handlers[event_type](event_data)
        else:
            raise ValueError(f"Unsupported event type: {event_type}")
    
    def handle_compromise(self, event_data):
        """Handle key compromise"""
        key_id = event_data.get('key_id')
        if key_id:
            self.key_manager.rotate_key_immediately(key_id)
            self.key_manager.revoke_key(key_id)
    
    def handle_personnel_change(self, event_data):
        """Handle personnel change"""
        user_id = event_data.get('user_id')
        if user_id:
            self.key_manager.rotate_user_keys(user_id)
    
    def handle_system_change(self, event_data):
        """Handle system change"""
        system_id = event_data.get('system_id')
        if system_id:
            self.key_manager.rotate_system_keys(system_id)
    
    def handle_emergency(self, event_data):
        """Handle emergency rotation"""
        self.key_manager.rotate_all_keys()

# Usage example
event_rotation = EventDrivenKeyRotation(key_manager)
event_rotation.handle_event('key_compromise', {'key_id': 'key_123'})

Best Practices

Rotation Frequency

  • Session Keys: Frequent rotation (daily/weekly)
  • Encryption Keys: Regular rotation (monthly/quarterly)
  • Signing Keys: Less frequent rotation (annual)
  • Root Keys: Very infrequent rotation

Lifecycle Management

  • Generation: Secure key generation
  • Distribution: Secure distribution
  • Usage: Controlled usage
  • Rotation: Scheduled rotation
  • Revocation: Revocation when necessary
  • Destruction: Secure destruction

Monitoring and Auditing

  • Logging: Logging of all operations
  • Monitoring: Continuous monitoring
  • Alerts: Alerts for failures
  • Audit: Regular audit

Rotation Tools

AWS KMS

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

import boto3
from botocore.exceptions import ClientError

class AWSKMSKeyRotation:
    def __init__(self, region_name='us-east-1'):
        self.kms_client = boto3.client('kms', region_name=region_name)
    
    def enable_automatic_rotation(self, key_id, rotation_period_days=365):
        """Enable automatic rotation"""
        try:
            response = self.kms_client.enable_key_rotation(
                KeyId=key_id
            )
            return response
        except ClientError as e:
            print(f"Error enabling rotation: {e}")
            return None
    
    def rotate_key(self, key_id):
        """Rotate key manually"""
        try:
            response = self.kms_client.create_key(
                Description=f"Rotated key for {key_id}",
                KeyUsage='ENCRYPT_DECRYPT'
            )
            return response['KeyMetadata']['KeyId']
        except ClientError as e:
            print(f"Error rotating key: {e}")
            return None

# Usage example
kms_rotation = AWSKMSKeyRotation()
kms_rotation.enable_automatic_rotation('alias/my-key')

HashiCorp Vault

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

import hvac

class VaultKeyRotation:
    def __init__(self, vault_url, token):
        self.client = hvac.Client(url=vault_url, token=token)
    
    def rotate_transit_key(self, key_name):
        """Rotate transit key"""
        try:
            response = self.client.secrets.transit.rotate_key(
                name=key_name
            )
            return response
        except Exception as e:
            print(f"Error rotating key: {e}")
            return None
    
    def rekey_transit_key(self, key_name, new_key_name):
        """Rekey transit key"""
        try:
            response = self.client.secrets.transit.rekey(
                name=key_name,
                new_name=new_key_name
            )
            return response
        except Exception as e:
            print(f"Error rekeying key: {e}")
            return None

# Usage example
vault_rotation = VaultKeyRotation('http://localhost:8200', 'my-token')
vault_rotation.rotate_transit_key('my-encryption-key')
  • PKI - Infrastructure that manages key rotation
  • HSM - Device that facilitates key rotation
  • Key Escrow - System that complements key rotation
  • RSA - Algorithm that requires key rotation
  • AES - Algorithm that requires key rotation
  • CISO - Role that oversees key rotation
  • General Cybersecurity - Discipline that includes key rotation
  • Security Breaches - Incidents that require key rotation
  • Attack Vectors - Attacks that require key rotation
  • Incident Response - Process that includes key rotation
  • SIEM - System that monitors key rotation
  • SOAR - Automation that manages key rotation
  • EDR - Tool that protects key rotation
  • Firewall - Device that complements key rotation
  • VPN - Connection that requires key rotation
  • Dashboards - Visualization of key rotation metrics
  • Logs - Key rotation operation logs

References