Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end-to-end rotation.
And now it’s Generally available!
Table of Contents
What the deal and what changed after GA?
I wrote about Key auto-rotation in December when it came out. So, let’s see what changed from December until now?
Permissions required
Key Vault key rotation feature requires key management permissions. You can assign a “Key Vault Administrator” role to manage rotation policy and on-demand rotation.
For more information on how to use RBAC permission model and assign Azure roles, see: Use an Azure RBAC to control access to keys, certificates and secrets
Let’s explore the options
You have two different access policy permission models.
RBAC based.
Vault Access policy
Policy based on RBAC
You have a Key Vault and will generate a new key and rotation policy to it.
And you will be displayed with the following error.
Go to Access control and add role assigment.
Add Key Vault Administrator
Here you can add Users, Groups, Service principals or even Managed identities.
What are managed identities?
I will choose users for demonstration purposes. You can check your rights from the same pane.
Then back to key rotation.
Now you can enable key rotation. In my example I chose expiration time to 1 year and rotation time for 355 days as there has to be lower than 358 days.
And with policy based permissions model.
You have to add “Get Rotation Policy” right.
Go to Access policies and add “Get Rotation Policy”
Go back to keys and you will see the same options for adding Key Rotation.
Trusted services
Here’s a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled.
ARM
You can also add Key Rotation to ARM template with the following.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vaultName": { "type": "String", "metadata": { "description": "The name of the key vault to be created." } }, "keyName": { "type": "String", "metadata": { "description": "The name of the key to be created." } }, "rotateTimeAfterCreation": { "defaultValue": "P18M", "type": "String", "metadata": { "description": "Time duration to trigger key rotation. i.e. P30D, P1M, P2Y" } }, "expiryTime": { "defaultValue": "P2Y", "type": "String", "metadata": { "description": "The expiry time for new key version. i.e. P90D, P2M, P3Y" } }, "notifyTime": { "defaultValue": "P30D", "type": "String", "metadata": { "description": "Near expiry event grid notification. i.e. P30D" } } }, "resources": [ { "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2021-06-01-preview", "name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]", "location": "[resourceGroup().location]", "properties": { "vaultName": "[parameters('vaultName')]", "kty": "RSA", "rotationPolicy": { "lifetimeActions": [ { "trigger": { "timeAfterCreate": "[parameters('rotateTimeAfterCreation')]", "timeBeforeExpiry": "" }, "action": { "type": "Rotate" } }, { "trigger": { "timeBeforeExpiry": "[parameters('notifyTime')]" }, "action": { "type": "Notify" } } ], "attributes": { "expiryTime": "[parameters('expiryTime')]" } } } } ] } |
Monitoring Key Vault with Event Grid
Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported.
What are the limitations for Key Vault?
Key transactions (maximum transactions allowed in 10 seconds, per vault per region1)
Key type | HSM key CREATE key | HSM key All other transactions | Software key CREATE key | Software key All other transactions |
---|---|---|---|---|
RSA 2,048-bit | 5 | 1,000 | 10 | 2,000 |
RSA 3,072-bit | 5 | 250 | 10 | 500 |
RSA 4,096-bit | 5 | 125 | 10 | 250 |
ECC P-256 | 5 | 1,000 | 10 | 2,000 |
ECC P-384 | 5 | 1,000 | 10 | 2,000 |
ECC P-521 | 5 | 1,000 | 10 | 2,000 |
ECC SECP256K1 | 5 | 1,000 | 10 | 2,000 |
Secrets, managed storage account keys, and vault transactions
Transactions type | Maximum transactions allowed in 10 seconds, per vault per region1 |
---|---|
All transactions | 2,000 |
1 A subscription-wide limit for all transaction types is five times per key vault limit. For example, HSM-other transactions per subscription are limited to 5,000 transactions in 10 seconds per subscription.
Backup keys, secrets, certificates
Transactions type | Maximum key vault object versions allowed |
---|---|
Backup individual key, secret, certfiicate | 500 |
Azure Private Link integration
Resource | Limit |
---|---|
Private endpoints per key vault | 64 |
Key vaults with private endpoints per subscription | 400 |
So how it’s comparing?
It’s identical with the options from Public Preview to Generally available, nice! Use it today for your vaults!