LAB 26 (Rotate Keys in Vault) - arunsinghchauhan38-arch/CLOUDARCHITECTDOC GitHub Wiki
Rotate Keys in Vault
In OCI Vault, key rotation means creating a new version of an existing master encryption key while keeping older versions available for decrypting data that was encrypted with them.
🔑 What Key Rotation Does
-
Generates a new key version: OCI automatically creates a new cryptographic material for the key.
-
Maintains old versions: Older versions remain usable for decryption, ensuring no data loss.
-
Uses latest version for encryption: Any new data encrypted with that key will use the newest version.
⚙️ Why It Matters
-
Security best practice: Regular rotation reduces the risk of long-term exposure if a key is compromised.
-
Compliance: Many standards (PCI DSS, HIPAA, ISO) require periodic key rotation.
-
Transparency for apps: Applications reference the key by its OCID, not version, so they automatically use the latest version without code changes.
📌 Rotation Options
-
Manual Rotation: You trigger rotation in the OCI Console or via CLI/API.
-
Automatic Rotation: You set a rotation policy (e.g., every 90 days), and OCI handles it on schedule.
🔑 What Happens During Key Rotation
-
New Version Creation: When you rotate a key, OCI generates a new cryptographic material (new version) for that key.
-
Versioning System: Each key has multiple versions. The latest version is always used for encryption, while older versions remain available for decryption.
-
Transparent to Applications: Apps reference the key by its OCID, not by version. This means they automatically use the newest version without needing code changes.
Steps to Rotate Key in Vault
- Go to identity and security and click on vault and after click on Test Vault
- Now click master encryption keys and click on 3 dots (...) available on Test_Vault_Key right side and click on Rotate key and click on confirm.