IBM Cloud Docs
Rotating managed keys manually

Rotating managed keys manually

You can rotate your managed keys on demand by using Unified Key Orchestrator with the UI.

To learn how managed key rotation works, see Managed key rotation.

Rotating managed keys with the UI

If you prefer to rotate your managed keys by using a graphical interface, you can use the UI.

Complete the following steps to rotate a key:

  1. Log in to the Hyper Protect Crypto Services instance.
  2. Go to Menu > Resource list to view a list of your resources.
  3. From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services with Unified Key Orchestrator.
  4. Click Managed keys from the navigation to view all the available keys.
  5. Select the key that you want to rotate and click the Actions icon Actions icon to open a list of options for the key.
  6. Click Rotate from the options menu. Alternatively, you can click Show details from the options menu and then click Rotate on the key details page.
  7. Click Rotate key to confirm.

Rotating managed keys with the API

To rotate a managed key through the API, follow these steps:

  1. Retrieve your service and authentication credentials to work with keys in the service.

  2. Rotate a managed key by making a POST call based on the following example:

    curl --location --request POST 'https://<instance_ID>.uko.<region>.hs-crypto.appdomain.cloud/api/v4/managed_keys/<id>/rotate'
    --header 'Authorization: Bearer <IAM_token>' \
    --header 'Accept: application/json' \
    --header 'UKO-Vault: <vault_id>' \
    --header 'If-Match: <ETag>'
    

    Replace the variables in the example request according to the following table.

    Table 1. Variables needed to rotate a managed key
    Variable Description
    region Required. The prefix that represents the geographic area where your service instance resides. For more information, see Regions and locations.
    port Required. The port number of the API endpoint.
    id Required. The unique identifier for the managed key that you want to rotate.
    IAM_token Required. Your IBM Cloud IAM access token that you retrieve in step 1. Include the full contents of the IAM token, including the Bearer value.
    vault_id Required. The Universally Unique Identifier (UUID) of the vault that your manage key is assigned to.
    ETag Required. The precondition of the update, which is the value of ETag from the header on a GET request.

    For detailed instructions and code examples about using the API method, check out the Hyper Protect Crypto Services Unified Key Orchestrator API reference doc.

    A successful rotation request returns an HTTP 204 No Content response, which indicates that your managed key is replaced by the new key material.

What's next