Azure key vault - Enabling key rotation

Automated cryptographic key rotation enables users to configure Azure Key Vault to automatically generate new key versions at a specified frequency. This is achieved by defining a key rotation policy for each individual key. Best practices recommend rotating encryption keys at least every two years. Additionally, key rotation can be configured at scale across your subscription or resource group using Azure Policy.

The process below outlines an end-to-end, zero-touch key rotation for encryption at rest in Azure services, utilizing customer-managed keys (CMK) stored in Azure Key Vault.

?Two options are explained namely, manual configuration and provisioning an Azure Policy.

Pricing:

• The Azure cost for a certificate renewal is $3 per request.

RBAC:

• To follow the Principle of Least Privilege (PoLP), restrict permissions for the Key Vault key rotation feature by assigning the "Key Vault Crypto Officer" role. This role manages rotation policies and on-demand rotations.

Key Rotation Policy:

• The key rotation policy enables users to configure automated rotation and generates proactive Event Grid notifications near key expiry.
• Key rotation creates a new key version with fresh key material. Target services should reference a version-less key URI to automatically refresh to the latest key version.
• Ensure your data encryption solution stores a versioned key URI alongside encrypted data to maintain access to the same key material for decryption. This avoids service disruptions when decrypting/unwrapping data.
• All Azure services currently follow this pattern for data encryption.

?

Option 1 - Manually configuring the key rotation policy

The steps below use a key rotation policy manually defined on each individual key.

Go to Azure key vault > search for keys >

select your key >

Select?Rotation policy >

Add the exact expiration date of your key,

Enable the auto rotation,

Rotation option >?Automatically renew at a given time before enquiry

(this option will be greyed out if your key does not have an expiration end date)

Select the automatic rotation time of the key (you cannot rotate key < 7 days to expiration),

Select the notification time period in which you wish to be proactively notified of your key’s expiration.

Save

?

?Select?Rotation policy >

Add the exact expiration date of your key,

Enable the auto rotation,

Rotation option >?Automatically renew at a given time before enquiry

(this option will be greyed out if your key does not have an expiration end date)

?

Select the automatic rotation time of the key (you cannot rotate key < 7 days to expiration),

Select the notification time period in which you wish to be proactively notified of your key’s expiration.

Save

?

Option 2 - Azure Policy

Automated cryptographic key rotation can also be configured at scale across your subscription / resource group using an Azure Policy.

Go to Azure Portal > Policy > Assignment > Assign policy >

Select your scope,

Select your Assignment name > search for?Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation

Parameters tab:

Select the time period of the keys,

Select the Effect = Audit,

Review and Create,

Verification

Go to Compliance and verify the compliance state of the scope over which you applied the Azure policy,

?

?

?