IBM Cloud Docs
Rotating root keys based on the rotation policy

Rotating root keys based on the rotation policy

You can set an automatic rotation policy for a root key by using IBM Cloud® Hyper Protect Crypto Services.

When you set an automatic rotation policy for a root key, you shorten the lifetime of the key at regular intervals, and you limit the amount of information that is protected by that key.

You can create a rotation policy only for root keys that are generated in Hyper Protect Crypto Services. If you imported the root key initially, you must provide new base64 encoded key material to rotate the key. For more information, see Rotating root keys on demand.

Want to learn more about your key rotation options in Hyper Protect Crypto Services? Check out Comparing your key rotation options for more information.

Managing rotation policies in the UI

If you prefer to manage policies for your root keys by using a graphical interface, you can use the UI.

  1. Log in to the UI.

  2. Go to Menu > Resource list to view a list of your resources.

  3. From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services.

  4. On the KMS keys page, use the Keys table to browse the keys in your service.

  5. Click the Actions icon Actions icon to open a list of options for a specific key.

  6. From the options menu, click Edit key rotation policy to manage the rotation policy for the key.

  7. Switch the Key rotation to On and move the slider to select a frequency of rotation in months.

    If your key has an existing rotation policy, the interface displays the key's existing rotation period.

  8. Click Save policy to set the policy for the key.

When it's time to rotate the key based on the rotation interval that you specify, Hyper Protect Crypto Services automatically replaces the root key with new key material.

Managing rotation policies with the API

Viewing a rotation policy

For a high-level view, you can browse the rotation policies that are associated with a root key by making a GET call to the following endpoint.

https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies
  1. Retrieve your service and authentication credentials.

  2. Retrieve the rotation policy for a specified key by running the following cURL command.

    curl -X GET \
      https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies \
      -H 'authorization: Bearer <IAM_token>' \
      -H 'bluemix-instance: <instance_ID>' \
      -H 'correlation-id: <correlation_ID>' \
      -H 'content-type: application/vnd.ibm.kms.policy+json'
    

    Replace the variables in the example request according to the following table.

    Table 1. Describes the variables needed to create a rotation policy with the API
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services service instance resides. For more information, see Regional service endpoints.
    port Required. The port number of the API endpoint.
    key_ID Required. The unique identifier for the root key that has an existing rotation policy.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services service instance. For more information, see Retrieving an instance ID.
    correlation_ID The unique identifier that is used to track and correlate transactions.

    A successful GET api/v2/keys/{id}/policies response returns policy details that are associated with your key. The following JSON object shows an example response for a root key that has an existing rotation policy.

    {
        "metadata": {
            "collectionTotal": 1,
            "collectionType": "application/vnd.ibm.kms.policy+json"
        },
        "resources": [
        {
            "id": "a1769941-9805-4593-b6e6-290e42dd1cb5",
            "rotation": {
                "interval_month": 1
            },
            "createdby": "IBMid-503CKNRHR7",
            "createdat": "2019-03-06T16:31:05Z",
            "updatedby": "IBMid-503CKNRHR7",
            "updatedat": "2019-03-06T16:31:05Z"
        }
      ]
    }
    

    The interval_month value indicates the key rotation frequency in months.

Creating a rotation policy

Create a rotation policy for your root key by making a PUT call to the following endpoint.

https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies
  1. Retrieve your service and authentication credentials.

  2. Create a rotation policy for a specified key by running the following cURL command.

    curl -X PUT \
      https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies \
      -H 'authorization: Bearer <IAM_token>' \
      -H 'bluemix-instance: <instance_ID>' \
      -H 'correlation-id: <correlation_ID>' \
      -H 'content-type: application/vnd.ibm.kms.policy+json' \
      -d '{
     "metadata": {
       "collectionType": "application/vnd.ibm.kms.policy+json",
       "collectionTotal": 1
     },
     "resources": [
       {
       "type": "application/vnd.ibm.kms.policy+json",
       "rotation": {
         "interval_month": <rotation_interval>
        }
       }
      ]
    }'
    

    Replace the variables in the example request according to the following table.

    Table 2. Describes the variables needed to create a rotation policy with the API
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services service instance resides. For more information, see Regional service endpoints.
    port Required. The port number of the API endpoint.
    key_ID Required. The unique identifier for the root key that you want to create a rotation policy for.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services service instance. For more information, see Retrieving an instance ID.
    correlation_ID The unique identifier that is used to track and correlate transactions.
    rotation_interval Required. An integer value that determines the key rotation interval time in months. The minimum is 1 and the maximum is 12.

    A successful PUT api/v2/keys/{id}/policies response returns policy details that are associated with your key. The following JSON object shows an example response for a root key that has an existing rotation policy.

    {
        "metadata": {
            "collectionTotal": 1,
            "collectionType": "application/vnd.ibm.kms.policy+json"
        },
        "resources": [
        {
            "id": "a1769941-9805-4593-b6e6-290e42dd1cb5",
            "rotation": {
                "interval_month": 1
            },
            "createdby": "IBMid-503CKNRHR7",
            "createdat": "2019-03-06T16:31:05Z",
            "updatedby": "IBMid-503CKNRHR7",
            "updatedat": "2019-03-06T16:31:05Z"
        }
      ]
    }
    

Updating a rotation policy

Update an existing policy for a root key by making a PUT call to the following endpoint.

https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies
  1. Retrieve your service and authentication credentials.

  2. Replace the rotation policy for a specified key by running the following cURL command.

    curl -X PUT \
      https://<instance_ID>.api.<region>.hs-crypto.appdomain.cloud/api/v2/keys/<key_ID>/policies \
      -H 'authorization: Bearer <IAM_token>' \
      -H 'bluemix-instance: <instance_ID>' \
      -H 'correlation-id: <correlation_ID>' \
      -H 'content-type: application/vnd.ibm.kms.policy+json' \
      -d '{
     "metadata": {
       "collectionType": "application/vnd.ibm.kms.policy+json",
       "collectionTotal": 1
     },
     "resources": [
       {
       "type": "application/vnd.ibm.kms.policy+json",
       "rotation": {
         "interval_month": <new_rotation_interval>
        }
       }
      ]
    }'
    

    Replace the variables in the example request according to the following table.

    Table 3. Describes the variables needed to create a rotation policy with the API
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services service instance resides. For more information, see Regional service endpoints.
    port Required. The port number of the API endpoint.
    key_ID Required. The unique identifier for the root key that you want to replace a rotation policy for.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services service instance. For more information, see Retrieving an instance ID.
    correlation_ID The unique identifier that is used to track and correlate transactions.
    new_rotation_interval Required. An integer value that determines the key rotation interval time in months. The minimum is 1 and the maximum is 12.

    A successful PUT api/v2/keys/{id}/policies response returns updated policy details that are associated with your key. The following JSON object shows an example response for a root key with an updated rotation policy.

    {
        "metadata": {
            "collectionTotal": 1,
            "collectionType": "application/vnd.ibm.kms.policy+json"
        },
        "resources": [
        {
            "id": "a1769941-9805-4593-b6e6-290e42dd1cb5",
            "rotation": {
                "interval_month": 2
            },
            "createdby": "IBMid-503CKNRHR7",
            "createdat": "2019-03-06T16:31:05Z",
            "updatedby": "IBMid-820DPWINC2",
            "updatedat": "2019-03-10T12:24:22Z"
        }
      ]
    }
    

    The interval_month and updatedat values are updated in the policy details for the key. If a different user updates a policy for a key that you created initially, the updatedby value also changes to show the identifier for the person who sent the request.

What's next