Automatic Key rotation in Azure Key Vault

To the point.⏩⏩⏬

💲💲 = attached some cost

Why to rotate the key when it is already protected in the Key Vault(KV)?🙎‍♂️

Establishing standards for key usage is one aspect, and adhering to those standards is another. In line with a zero-trust policy, it is prudent to employ multiple layers of protection whenever feasible. In the event that unauthorized individuals gain access to key details, the risk of data exposure could significantly escalate. To mitigate the potential for data loss and maintain governance, it is advisable to periodically rotate the keys.

How to rotate keys automatically/manually in the key vault?🤷‍♂️

Case1: Let’s create/generate one key as an illustration.
The requirements include using an RSA key of at least 2048 bits, with an annual renewal cycle. The previous key version must be disabled after 18 months from the renewal date.

1. I assume a Key Vault has been deployed with proper SKU, i.e Standard or Premium.
2. 😒After creating an Azure Key Vault, you cannot directly create keys, secrets, or certificates. KV access work a bit differently. Even with the “Owner” role at the Resource Group, Subscription, or any level, access may still be restricted. It is necessary to have appropriate role assigned to the user who creates a key.
3. 🤩A required RBAC role assigned to the user for creating and managing auto key rotation is “Key Vault Crypto Officer.” You can find the roles under IAM.

Select role, CAREFULLY select your azure account username (email usually), skip condition, create/save

4. Now, you have enough access to get into keys section💲. Go to the keys> +Generate/Import > enter the basic details, follow below steps.⏬

Name, type, size

5. Now, setting up auto rotate configuration is an important step💲. Activation date is optional. “Expiration date” box is unchecked by default. As we want to set limited lifespan for the key, recall case1, check that box and set the date 18 months from today’s date.

6. Click on “Not cofigured”. You’ll see many options grayed out as below.⏬

🔴Remember: 🔺🔺Below settings are not just applicable to the key we are creating now, but to all the keys being generated from now on. Let's say we are creating versionA key, as per case1 versionB will be created after 12 months (versionB will expire after 18 months of its renewal date), versionC created after 24 months from today, and so on. All these keys will have the new settings.) 🔻🔻

Expiry time : At what time you want the key to be expired (the duration of key life, this duration will be applicable to all future key versions). 18 Months.↩️

Enable Auto Rotation : Enabled ✅

Rotation Option: Flexible options. Example: you want your key to be rotated after 1 year of its CREATION, or 1 month before the EXPIRY? Here, I want “Automatically renew after certain time after creation”. 🔛

Rotation Time: 12 months for case 1. 🕑

Notification option: It is not flexible, we have only one choice. Setting up alerts from this notification is a bit complex task. You’ll see information on that soon!

Save it and done!

7. In future, if you want to change the rotation settings, or want to rotate it manually, go to this button..

Don’t like this post? Just tell it! Liked it? Just follow and comment then! 😁 I am not a professional writer, I work with Azure cloud and trying to share the things I learned and explored at my work!