DEV Community

MakendranG for Kubernetes Community Days Chennai

Posted on • Updated on

How to change key automatically in Azure Key Vault ?


Key vault has an automated key rotation feature that will automatically generate a new key version. Rotation policy can be used to set rotation for individual keys. It is recommended that the encryption keys be changed at least every two years.

This feature allows end-to-end zero-touch rotation for the customer-managed key in the azure key vault. There is an additional cost for each scheduled key rotation.

Key management permission is required for the Key Vault key rotation feature. You can assign a role to manage rotation policy and on-demand rotation.

Key rotation policy

Users can use the key rotation policy to set rotation and event grid notifications.

1. Expiry time

It's used to set an expired date on a new key. It doesn't affect the current key.

2. Enabled/disabled

There is a flag that can be enabled or disabled for the key.

3. Rotation types

  • You can automatically renew at a given time after creation.
  • You can automatically renew at a given time before expiry.

4. Rotation time

The minimum value is seven days from creation and seven days from the end of the rotation.

5. Notification time

The key is near the end of the event interval.

rotating policy

Key rotation policy should be configured during key creation.

key creation

The rotation policy should be configured on the existing keys.

existing keys

Key rotation can be invoked manually. To invoke rotation, click Rotate Now.

Rotate now

The event grid key has a configuration of expiry notification. Notification can be configured with days, months and years before the event.

event grid

Key rotation can be configured with the ARM template. Key rotation policy can be configured using templates.

Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.

Top comments (0)