How to Set up Automatic Key Rotation in GCP

It’s a good security practice to regularly rotate your keys to mitigate the risk if a key becomes compromised. In GCP, you can either rotate keys manually or by enabling automatic periodic rotations.

While you should do manual rotations if you know a key is compromised, automatic rotations provide a security boost by reducing your risk since your primary keys will not have been in use as long.

In this guide, we’ll show you how to configure automatic key rotation in GCP using the GCP console and the gCloud CLI. To do these steps, you will need the permissions granted by the Cloud KMS Admin role.

Blink Automation: Update Key Rotation Settings and Send Confirmation to Slack

GCP + Slack

Get Started

Configuring Automatic Key Rotation in GCP for Existing Keys

You can set up automatic key rotation for existing keys by using either the GCP Console or the gCloud CLI.

Using the GCP Console:

You configure automatic key rotation in the GCP Console for existing keys by following these steps:

1. Open the Key Management page from the Google Cloud Console.
2. Select the name of the key ring that contains the key you want to rotate.
3. Select the key you want to set up automation rotations for.
4. Choose Edit Rotation Period in the header.

5. In the prompt, for the Rotation period and Starting on fields, select new values.
6. Press Save in the prompt.

Just like that, you have enabled automatic key rotations. These automatic rotations do not automatically re-encrypt data that was using a prior key version, so you will need to do this manually when the time comes. We have a guide that shows how to do that here. [link to manual rotation blog]

Using the gCloud CLI:

To run Cloud KMS on the command line, you’ll first need to install the latest version of gCloud CLI. Once you’ve done that, you can run this command to set up automatic key rotation in the gCloud CLI for existing keys:

gcloud kms keys update <KEY_NAME> \
    --location <LOCATION> \
    --keyring <KEY_RING> \
    --rotation-period <ROTATION_PERIOD> \
    --next-rotation-time <NEXT_ROTATION_TIME> \

Here’s is the information you need to specify for each flag:

• <KEY_NAME>: refers to the name of the key, for example, “bowser”.
• <KEY_RING>: refers to the name of the related key ring, for example “castle” that consists of the key you want to rotate.
• <LOCATION>: tells the key ring Cloud KMS location such as global.
• <ROTATION_PERIOD>: this refers to the time period to rotate the existing key. For instance, you can set it to 30d, meaning the key will automatically rotate every 20 days. The minimum rotation period must be one day, and the maximum can be 100 years.
• <NEXT_ROTATION_TIME>: this command refers to the timestamp at which to complete the next key rotation, for example, ”2023-01-12T12:34:56.1234Z”. If you omit this flag, it will schedule the first key rotation for seven days from when you run the gCloud command line by default.

Here’s an example:

gcloud kms keys update bowser 
    --location=global 
    --keyring=castle 
    --rotation-period=30d 
    --next-rotation-time=2017-10-12T12:34:56.1234Z

Creating New Keys with Automatic Rotation Enabled 

You can also enable automatic key rotation when you are creating new keys.

Using the GCP Console:

Here are the steps to enabling automatic key rotation when creating new keys:

1. Navigate to the key ring you want to create your new key in, then click Create Key.
2. As you are filling out the settings for your new key, choose the Rotation period field and specify a value for the key rotation period.
3. Next, select the date in the Starting on field and specify a new date for the next rotation time.
4. When you are happy with the settings, click Create.

Using the gCloud CLI:

Here are the steps to configure automatic key rotation in the gCloud CLI for new keys:

You can create a key with automatic rotations enabled by running the following command:

gcloud kms keys update <KEY_NAME> \
    --location <LOCATION> \
    --keyring <KEY_RING> \
    --purpose "encryption" \
    --rotation-period <ROTATION_PERIOD> \
    --next-rotation-time <NEXT_ROTATION_TIME> \

These are the same flags we described in the CLI section earlier in this post. --rotation-period and --next-rotation-time are the flags that enable automatic rotation.

Here’s an example:

gcloud kms keys create luigi 
    --location=global 
    --keyring=mansion
    --purpose=encryption 
    --rotation-period=30d 
    --next-rotation-time=2017-10-12T12:34:56.1234Z

By running this command, you’ll have create a new key with automatic rotation enabled.

Simplifying GCP Key Rotation with Blink

Enabling automatic key rotation is a useful way to ensure that your keys are kept up to date. Unfortunately, it doesn’t fully solve the outcomes of key rotation.

You still need to re-encrypt data that relies on prior key versions with your new primary key instead. How about disabling or removing old key versions?

With Blink, you can create automations that extend your flows further. When your keys are rotated automatically, you can trigger a Blink automation that handles re-encrypting files that are using the prior key version and disabling the prior key version.

Blink also allows you schedule disabled keys for destruction after a certain period of time. Ensure that your keys are cleaned up while also giving your team time to validate that you no longer need the old versions.

Get started with Blink today and see how easy it can be to rotate your GCP keys.