Key Auto-Rotation in Azure Key Vault

Hi!

In this article, I will share with you a new preview feature of Azure Key Vault. The goal of this feature is to automate the key rotation.

Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Microsoft recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.

Key Vault key rotation feature requires key management permissions. You can assign a « Key Vault Administrator » role to manage rotation policy and on-demand rotation. If you use an access policies permission model, it is required to set ‘Rotate’, ‘Set Rotation Policy’, and ‘Get Rotation Policy’ key permissions to manage rotation policy on keys.

The key rotation policy allows users to configure rotation interval, expiration interval for rotated keys, and near expiry notification period for monitoring expiration using event grid notifications.

Key rotation policy settings:

Expiry time: key expiration interval. It is used to set expiration date on newly rotated key. It does not affect a current key.
Enabled/disabled: flag to enable or disable rotation for the key
Rotation types:
- Automatically renew at a given time after creation (default)
- Automatically renew at a given time before expiry. It requires ‘Expiry Time’ set on rotation policy and ‘Expiration Date’ set on the key.
Rotation time: key rotation interval, the minimum value is 7 days from creation and 7 days from expiration time
Notification time: key near expiry event interval for event grid notification. It requires ‘Expiry Time’ set on rotation policy and ‘Expiration Date’ set on the key.

Configure the key rotation policy: