Key version management

Prev Next

Available in Classic and VPC

Key version management

To prepare for various security threats to cryptographic keys, there are recommended validity periods based on the key's purpose. Generally, the same key can be used for a maximum of 2 years for encryption purposes (generating ciphertext) and up to 5 years for decryption. Therefore, to protect against security threats, it's recommended that you renew with a new key before the expiration date. Key resources identified by key Tags are composed of actual Raw keys distinguished by versions, and can have up to 100 versions. When rotating a key to update it to a new version, a new raw key is added, which can be expected to have the same effect as completely changing the key.

Rotate keys

kms-version_01_ko

To update key versions, the key rotation feature should be used. The first key created has a version of 1 and is renewed with each subsequent rotation, allowing you to have up to 100 versions. After 100 key rotations, the key can no longer be rotated and must be replaced with a new key. The two types of key rotation are automatic which is performed automatically based on a set rotation cycle, and manual which is performed manually by the user on demand. The descriptions for each are as follows:

  • Automatic rotation: performs a rotation automatically every set rotation cycle.
  • Manual rotation: performs a rotation manually on user's demand. Manual rotation does not affect the next automatic rotation schedule. For example, if a key with a 90-day automatic rotation cycle performs a manual rotation with 10 days remaining until the next rotation, the automatic rotation will occur as scheduled after 10 days.
Caution
  • Keys without automatic rotation enabled may become security vulnerable unless manually rotated. Users bear full responsibility for periodic key renewal and management.
  • The following are precautions after key rotation:
    • Encryption is only possible with the latest version of the key. When a key is rotated and its version is updated, previous versions of the key cannot be used for encryption and can only be used for decryption.
    • When a key is rotated and renewed to a new version, we recommend that users who were using the previous version of the key re-encrypt with the new version of the key as soon as possible and disable the previous version. For how to use the API for re-encryption, see Re-encrypt.
    • When decrypting, you must set the correct version to get the correct result. If you arbitrarily change the prefix (e.g. ncpkms:v1) in the passphrase, decryption will not be handled correctly.

Manual rotation

When the users determine there is a security threat to the key or when the renewal period has passed, they can immediately update keys through manual rotation based on their judgment. Follow these steps to manually rotate a key and update it to a new version:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Key Management Service > Key.
  2. Click [Key rotation] in the basic information tab of the key you want to rotate manually.
  3. When the Rotate now popup window appears, click [Confirm].
  4. Check the updated version information from the Current version.

Automatic Rotation Settings

Follow these steps to set up automatic rotation so that the key is automatically renewed with a new version at regular intervals:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Key Management Service > Key.
  2. Click Automatic rotation in the basic information tab of the key you want to automatically rotate to change the settings.
  3. To set the automatic rotation period, click the [Edit] button for Rotation period (next rotation date).
    kms-version_02_ko
  4. If the Change rotation period pop-up window appears, enter a rotation period.
    • Enter between 1 and 730 days (default: 90 days)
    • Change next rotation date immediately after change
  5. Click [OK].

Version management

kms-version_03_ko

Apart from the key's status, you can also set status at the key version level. Key versions have two states: enabled or disabled. The most recent version of the key must always be enabled, so its version state cannot be configured. Deactivated versions can no longer be used for decryption. As explained earlier, to follow the recommendation that keys for decryption should only be used for up to 5 years, you can disable the version. Therefore, when a key is rotated and a new version is created, it's recommended to disable the previously used key.