How Key Rotation Comes To The Rescue

If you want your data to be securely used, transferred, or even stored, then encryption will straightaway come into your mind as the go to solution. Encryption uses an underlying algorithm to scramble your data, so that only certain people can read your data through the aid of a key. So, you must be thinking if I encrypt my data then I’m out of harm’s way right? No! it’s only the first step in securing your data. Keep on reading, and you’ll soon find out ways to reduce the impact of a potential data breach.

How do Encryption and Decryption work?

The encryption/decryption of data requires keys. There are mainly two types of encryption schemes, symmetric key, and asymmetric key schemes. The symmetric key scheme uses the same key for both encryption and decryption, so both parties must have the same key for secure communication. On the other hand, the asymmetric key scheme relies on two keys, public and private keys. Public keys are available for anyone to encrypt data which can be decrypted only by its corresponding private key pair.

Why Encryption alone is not enough?

The above encryption schemes rely heavily on a key that needs to be stored somewhere. Using the same key for a prolonged period can reveal information on the underlying key or even the data meant to be hidden in the first place. If the key gets compromised then all the hard work you put to encrypt your data will be in vain. So, we must think of ways to reduce the amount of data leaked by a compromised key. This is where key rotation comes to our aid.

What is Key Rotation?

In simple terms, key rotation can be explained as retiring an encryption key and replacing that old key with a new key. Periodically or automatically rotating keys help meet best practices and industry standards like PCI DSS(Payment Card Industry Data Security Standard) by reducing the number of data being leaked in a single compromised key.

Then a question arises, how often we have to rotate the said encryption key. This is where the concept cryptoperiod comes in. According to NIST SP 800–57(National Institute of Standards and Technology), a cryptoperiod is the time span during which a specific key is authorized for use. You can look through the recommended cryptoperiods for different key types here.

*Originator Usage Period(OUP) is the period of time which cryptographic protection may be applied to data using that key. Recipient Usage Period(RUP) is the period of time during which the protected information may be decrypted.

But in reality we can’t always stick to the recommended time spans. Since, there may be other factors we have to consider like the sensitivity of the data and the amount of data we have etc. In short, if you suspect there is a compromised key, then you must immediately rotate the key.

How to Rotate Keys?

Data are encrypted using a key known as Data Encryption Key(DEK) and the DEK is then encrypted with another key called Key Encryption Key(KEK), this is known as envelope encryption. Most of the rotation tools out there simply rotate the KEK and calls it a day. If a person that had this DEK leaves the organization, even if we rotate the KEK still that person can retrieve the data because he/she still has a symmetric key that can decrypt that data. So we must consider about rotating the DEK as well.

Now, let’s take a look at how key rotation works in a nutshell.

  1. Let’s take Key1 as our initial key which we are using to encrypt our data

2. After a month has passed, you are informed of a compromised key and a key rotation is imminent. So, you generate a new key. Let’s call it as Key2.

3. Now you are using Key2 to encrypt all the new data

4. Key1 will be only used to decrypt the old data and then that old data will be re encrypted with the new Key2

5. Finally, ensure everything works well with the new Key2

After all the old data gets encrypted with the new key we can simply discard Key1 and go on using Key2 as our new key. So in simple terms, this is basically what key rotation does.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Geesa Vihara

Geesa Vihara


The passion to teach and share my experiences on what I learned during this pandemic made me start my writing journey…