0

I have to implement a policy of rotation for our KEK used in GCP and i have doubts about the management of old keys. We have implemented an external key management service in BYOK/EKM mode and KEKs are used for GCE, GCS, GKE, and Sql services. Our doubts concern the future usefulness of Rotated keys. I would like to proceed as follows: Rotate key and Disable Old Key . Operations will be performed by our key management system. I am not sure what happens as a result in GCP.

In the future, might GCP services need the old key to work? or can I delete it from my key management system?

MaXbeMan
  • 21
  • 1
  • 4

1 Answers1

1

You can use Cloud KMS for your key rotation, it supports both auto and manual rotation policies once the new keys are updated in the bucket, Cloud KMS will use these new keys for the resources that are going to be created and your old keys won't get disabled or deleted and will remain in the storage bucket. So, you don’t have to worry about accessing the resources which are encrypted using the old keys.

However, if you want to delete your old keys first you can replace them, follow the guidelines on key replacement from this official document:

  • Check your buckets to see which use the key as their default encryption key. For these buckets, replace the old key with a new key. This ensures that all objects written to the bucket use the new key going forward.

  • Inspect your source code to understand which requests use the key in ongoing operations, such as setting bucket configurations and uploading, copying, or rewriting objects. Update these instances to use the new key.

  • Check for objects, in all of your buckets, encrypted with the old key. Use the Rewrite Object method to re-encrypt each object with the new key.

  • Disable all versions of the old key. After disabling old key versions, monitor client and service logs for operations that fail due to a version becoming unavailable.

Note: The guidelines above are taken from the official Google documentation.

Kranthiveer Dontineni
  • 1,056
  • 1
  • 10
  • "Cloud KMS will use these new keys for the resources that are going to be created " ; my concerns are on already generated infrastructure and not future ones. How can I verify that rotated keys are no longer needed? – MaXbeMan Aug 30 '23 at 11:33
  • @MaXbeMan like I mentioned you can verify this by "monitoring client and service logs for operations that fail due to a version becoming unavailable" and JFYI as per the official docs if you just rotate your keys in Cloud KMS the previous versions of the key are not disabled or destroyed, so Cloud Storage can still decrypt existing objects that were previously encrypted using those versions. So as part of your key management cycle you need to replace the existing keys which are being used for encryption and decryption of the services only then the cycle can be said completed. – Kranthiveer Dontineni Aug 30 '23 at 11:42