Introduction
Key vault has an automated key rotation feature
that will automatically generate a new key version. Rotation policy
can be used to set rotation for individual keys. It is recommended that the encryption keys be changed at least every two years
.
This feature allows end-to-end zero-touch rotation
for the customer-managed key in the azure key vault. There is an additional cost for each scheduled key rotation.
Key management permission is required for the Key Vault key rotation feature. You can assign a role to manage rotation policy and on-demand rotation.
Key rotation policy
Users can use the key rotation policy to set rotation and event grid notifications.
1. Expiry time
It's used to set an expired date on a new key. It doesn't affect the current key.
2. Enabled/disabled
There is a flag that can be enabled or disabled for the key.
3. Rotation types
- You can automatically renew at a given time after creation.
- You can automatically renew at a given time before expiry.
4. Rotation time
The minimum value is seven days from creation and seven days from the end of the rotation.
5. Notification time
The key is near the end of the event interval.
Key rotation policy should be configured during key creation
.
The rotation policy should be configured on the existing keys.
Key rotation can be invoked manually. To invoke rotation, click Rotate Now
.
The event grid key has a configuration of expiry notification. Notification can be configured with days, months and years before the event.
Key rotation can be configured with the ARM template. Key rotation policy can be configured using templates.
Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.