Automated cryptographic key rotation allows users to configure the Key Vault to automatically generate a new key version at a specified frequency, using a key rotation policy manually defined on each individual key. It is recommended to rotate encryption keys at least every two years as per best practices. Automated cryptographic key rotation can also be configured at scale across your subscription / resource group using an Azure Policy.
The process below describes an end-to-end zero-touch rotation for encryption at rest for Azure services using customer-managed key (CMK) stored in Azure Key Vault.
Pricing:
The Azure cost of a certificate renewal is $3 per renewal request.
RBAC:
The Key Vault key rotation feature permissions can be restricted as per PoLP by assigning the “Key Vault Crypto Officer” role to manage rotation policy and on-demand rotation.
The Key rotation policy:
The key rotation policy allows users to configure rotation and also creates proactive Event Grid notifications near expiry notification.
Key rotation generates a new key version of an existing key with new key material. Target services should use versionless key uri to automatically refresh to latest version of the key. Ensure that your data encryption solution stores versioned key uri with data to point to the same key material for decrypt/unwrap as was used for encrypt/wrap operations to avoid disruption to your services. All Azure services are currently following that pattern for data encryption.
Option 1 - Manually defining the key rotation policy on each individual key
The steps below use a key rotation policy manually defined on each individual key.
Go to Azure key vault > search for keys >
select your key >
Select Rotation policy >
Add the exact expiration date of your key,
Enable the auto rotation,
Rotation option > Automatically renew at a given time before enquiry
(this option will be greyed out if your key does not have an expiration end date)
Select the automatic rotation time of the key (you cannot rotate key < 7 days to expiration),
Select the notification time period in which you wish to be proactively notified of your keys expiration.
Save
Option 2 - Key rotation Azure Policy
Automated cryptographic key rotation can also be configured at scale across your subscription / resource group using an Azure Policy.
Go to Azure Portal > Policy > Assignment > Assign policy >
Select your scope,
Select your Assignment name > search for Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation
Parameters tab:
Select the time period of the keys,
Select the Effect = Audit,
Review and Create,
Verify
Go to Compliance and verify the compliance state of the scope over which you applied the Azure policy,
