Key rotation is a critical security practice. In GCP, you can either rotate keys by enabling automatic rotation or by rotating a key manually.
Manual rotations make sense if your key is compromised or if you are modifying your application to use a different or stronger algorithm.
In this guide, we’ll show you how to manually rotate keys using the GCP console and the gCloud CLI.
You will need to have permissions granted by the Cloud KMS Admin role to rotate keys in GCP. If you want to also do the re-encryption step below, you’ll need permissions granted by the Cloud KMS CryptoKey Encrypter/Decrypter role.
These are the steps to manually rotate keys in the GCP Console:
- Open the Key Management page from the Google Cloud Console.
- Select the name of the key ring that contains the key you want to create a new version for.
- Select the key for which you need to create a new version.
- Click Rotate in the displayed header.
- Again, click Rotate in the prompt to confirm the key rotation.
Now, you’ll see a new version of your key is created and is marked as the primary key.
If you want to use a different existing key version, you can make it primary key using these steps:
- Choose the key whose primary version you want to update.
- Click View More in the row of your intended key.
- Select Make primary version in the menu.
- In the confirmation prompt, click Make primary.
If you have encrypted anything with the prior key, you’ll need to re-encrypt it with your new key, and then destroy the old key. This encryption step can only be done with the CLI and we’ll show it in the encryption section below.
gcloud kms keys versions create \ --key <KEY_NAME> \ --keyring <KEY_RING> \ --location <LOCATION>
You can input values for each of these parameters:
<KEY_NAME> refers to the name of the key.
<KEY_RING> refers to the name of the key ring that consists of the key you want to rotate.
<LOCATION> refers to the key ring Cloud KMS location.
Here’s an example:
gcloud kms keys versions create --key=bowser --keyring=castle --location=global
You can then set an existing key version as the primary version with this command:
gcloud kms keys update <KEY_NAME> \ --keyring <KEY_RING> \ --location <LOCATION> \ --primary-version <KEY_VERSION>
The only new flag in this command is <KEY_VERSION> which refers to the version number of the new primary key.
If you have encrypted data with the prior key, that prior key can still be used to decrypt that data. If your key is compromised, your data will be insecure unless you re-encrypt it with your new primary key.
You should do this with the following gCloud CLI command:
gcloud kms encrypt \ --key <KEY_NAME> \ --keyring <KEY_RING> \ --location <LOCATION> \ --plaintext-file <FILE_TO_BE_ENCRYPTED> \ --ciphertext-file <FILE_TO_STORE_ENCRYPTED_DATA>
<FILE_TO_BE_ENCRYPTED> should be the local file path for reading the plaintext data.
<FILE_TO_STORE_ENCRYPTED_DATA> should be the local file path for where you plan to save the encrypted output.
If you want to verify that your encryption is now using the new primary key, you can test it by running the decrypt command.
Disabling or destroying a key both remove the key’s functionality. It’s important to ensure that compromised keys are disabled or destroyed.
The difference between the two outcomes is that destroyed keys are removed permanently (after their scheduled destruction date), which means that if you have anything encrypted that relies on that key to be decrypted, and that key is destroyed, you lose access to that data permanently. If you are certain that you no longer need the key, destroying it is a way to clean up your key ring and prevent a compromised key from somehow being restored.
In the GCP Console, you can disable and destroy a key by following these steps:
- In the key ring view, click the key you recently rotated.
- Next to the version of the key you want to change, you’ll see an Actions column with three vertical dots. Click on the dots.
- Depending on which action you want to take, you can either select Disable or Destroy.
- If you choose Destroy, you will need to type in the key name and click Schedule Destruction to confirm the action. Once you have done this, you will have fully rotated your keys and cleaned up the prior key version.
You can also disable or destroy keys with the CLI
You can use this command to disable a key version:
gcloud kms keys versions disable <KEY_VERSION> \ --key <KEY_NAME> \ --keyring <KEY_RING> \ --location <LOCATION>
And you can use this command to destroy a key version:
gcloud kms keys versions destroy <KEY_VERSION> \ --key <KEY_NAME> \ --keyring <KEY_RING> \ --location <LOCATION>
If you run the destroy a key version command, it will be scheduled for destruction. You can 24 hours after that to change your mind and restore the key.
If you need to manually rotate access keys, you will need to remember each step and stop what you are working on to ensure you do it all properly. Working through these steps each time isn’t hard, but it takes time.
With Blink, you can easily create an automation that rotates access keys, re-encrypts files that are using the prior key version, and disables the prior key version with a simple click. If a key is compromised, you’ll be able to act quickly.
Blink also allows you schedule disabled keys for destruction after a certain period of time. Ensure that your keys are cleaned up while also giving your team time to validate that you no longer need the old versions.
Create your free Blink account and make it easy to rotate your GCP keys.