On-Demand Key Rotation for AWS AES Keys with BYOK

Beginning with release 10.5.1, you can use on-demand key rotation with BYOK using native support in AWS for key versions.

The following caveats apply to on-demand key rotation: 

• Only AES keys can be rotated using on-demand rotation. Non-symmetric encryption keys and HMAC keys are not supported.

• You can only rotate a key using on-demand rotation 10 times for a total of 11 versions.

• Key versions that were created using on-demand rotation can only be deleted from the cloud or uploaded to the cloud. They cannot be disabled or scheduled for deletion.

• When the master key is scheduled for deletion, all versions of the key created using on-demand rotation are also scheduled for deletion.

Procedure 

1. Create a CloudKey for AWS BYOK. For more information, see Creating a CloudKey for AWS.

2. On the Purpose tab, select AES-256 for the algorithm.

3. Check the Use on-demand key rotation for new versions checkbox.

4. Continue creating the key as normal.

5. After the key is created, click the Details tab and scroll down to the Rotation Schedule section.

   The new 'Use on-demand rotations' field should read True.

   Note:  

   • If this value is set to False, you can change it to True if the key only has a single version.

   • You cannot modify this value if it is set to True.