The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

Key Rotation

Rotate Key

If users wish to rotate a key, they can now do so with the rotate-key command.
The rotate-key command will create another version of the key, the key fragments instances and split level remain the same throughout the versions, as well as the customer fragment associated with it (if any).
A rotated key is considered just like an extra item in the system and is billed accordingly.
There are some constraints when rotating a key:

  • Only AES keys can be rotated.
  • Only Enabled keys can be rotated.

When rotating a key, the last version of it will be used for Encryption and Decryption operations, previous versions can still be used for Decryption operations.

📘

NOTE

This is considering the key and the key versions are in an Enabled state.

A key can be set to automatically rotate every 7-365 days.
To delete a specific key version, check out the Delete Item command.

  • Akeyless CLI
    The following parameters are supported:
    • -n,--name - The item name
    • --auto-rotate - Whether to automatically rotate every --rotation-interval days, or disable existing automatic rotation
    • --rotation-interval - The number of days to wait between every automatic key rotation (7-365)

Examples

Prerequisite - key1 is created:

$ akeyless create-key -n key1 --alg AES256GCM
=====================
Encryption Key Fragement #1 created succsessfully in 13 milliseconds
Encryption Key Fragement #2 created succsessfully in 14 milliseconds
Encryption Key Fragement #3 created succsessfully in 14 milliseconds
=====================
A new AES256GCM key named key1 was successfully created

Example 1 - Rotating key1:

$ akeyless rotate-key -n key1
Key key1 has been rotated successfully, new version: 2

Example 2 - Setting key1 to automatically rotate every 30 days:

$ akeyless rotate-key -n key1 --auto-rotate true --rotation-interval 30
Key key1 has been set to automatically rotate every 30 days successfully, next rotation: 2020-01-30 12:00:00 +0000 UTC

Example 3 - Canceling key1 from being automatically rotated:

$ akeyless rotate-key -n key1 --auto-rotate false
Key key1 automatic rotation has been disabled successfully
  • Akeyless web UI

Example 1 - Trigger rotation of key1 on Rotate key now button:

Example 2 - Automatic rotation settings:

Describe Item

Running a describe-item command will show all the items versions.

  • Akeyless CLI
    The following parameters are supported:
    • -n,--name - The item name
    • --show-versions - If you want to see all the item versions

Examples

Prerequisite - key1 is created and rotated:

$ akeyless create-key -n key1 --alg AES256GCM
=====================
Encryption Key Fragement #1 created succsessfully in 13 milliseconds
Encryption Key Fragement #2 created succsessfully in 14 milliseconds
Encryption Key Fragement #3 created succsessfully in 14 milliseconds
=====================
A new AES256GCM key named key1 was successfully created

$ akeyless rotate-key -n key1
Key key1 has been rotated successfully, new version: 2

Example 1 - Describing the rotated key with all its versions:

$ akeyless describe-item -n key1 --show-versions
{
   "item_name": "/key1",
   "item_type": "AES256GCM",
   "item_metadata": "",
   "item_size": 32,
   "last_version": 2,
   "with_customer_fragment": false,
   "is_enabled": true,
   "public_value": "",
   "certificates": "",
   "protection_key_name": "",
   "cert_issuer_signer_key_name": "",
   "certificate_issue_details": {
      "max_ttl": 0,
      "cert_issuer_type": "",
      "ssh_cert_issuer_details": null,
      "pki_cert_issuer_details": null
   },
   "client_permissions": [
      "read",
      "list",
      "update",
      "delete",
      "create"
   ],
   "item_state": "Enabled",
   "item_versions": [
      {
         "version": 1,
         "item_version_state": "PendingDeletion",
         "deletion_date": "2020-01-30T13:00:00Z"
      },
      {
         "version": 2,
         "item_version_state": "Enabled"
      }
   ]
}
  • Akeyless web UI

Example 1 - Rotated key with all its versions:

Example 2 - Change state of version:

Example 3 - Delete version:

Updated 6 months ago

Key Rotation


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.