Keys are used to protect specific data. Therefore, the security of the data depends on the security of its keys. You can regularly rotate keys between key versions to improve key security and implement security policies and best practices for data protection.

Key Version Overview

KMS supports multiple versions of keys for CMKs. Each key version is independently generated, and multiple key versions under the same CMK are cryptographically unrelated.

For symmetric keys, the key version can be automatically generated through the automatic rotation policy;

For an asymmetric key, you can manually create a new key version.

Set Automatic Rotation

For symmetric keys, you can configure automatic rotation to generate new key versions. Symmetric keys have primary versions and non-primary versions:

Primary Key Version

The system periodically generates a new key version and automatically sets it as the primary version based on the automatic rotation policy,

The primary version is the Active Encryption Key of CMK. Each CMK has only one primary version at any point in time.

When calling the encryption APIs such as GenerateDataKey and Encrypt, KMS encrypts the plaintext with the primary version of the specified CMK.

Non-primary Key Version

The non-primary version is the Inactive Encryption Key of CMK. Each CMK can have zero to multiple non-primary versions. The non-primary version used to be the primary version and was used as the active encryption key.

KMS will not delete or disable non-primary versions after a new primary version is generated by key rotation, and these non-primary versions are used to decrypt data.

Create a Key Version

Because of the characteristics of use cases of the public key-private key pair, KMS does not support the automatic rotation of asymmetric CMKs. You can manually create a new key version in the specified CMK to generate a new public key-private key pair.

In addition, unlike symmetric CMKs, asymmetric CMKs do not have a primary key version. Therefore, you must specify the corresponding CMK ID or CMK alias and a key version if you need to call the APIs related to asymmetric cryptogrammic operations.

Limits

The following keys do not support multiple key versions:

Default keys of cloud product: the default keys managed by KMS for specific cloud services. These keys belong to the users of cloud services and are used to provide basic encryption protection for user data.

Keys based on Bring Your Own Key (BYOK): the keys that you imported to KMS. The Origin attribute of these keys is External. KMS does not generate key materials or initiate rotation tasks for these keys. For more information, see Import a Key Material.

Operation Steps

Configure Automatic Rotation (Symmetric Keys)

1. Log in to the KMS console;

2. In the navigation bar at the top of the page, select the area where the key is located.

3. In the left navigation bar, click KMS to enter the key list.

4. Locate the symmetric key and click the key ID to go to the Key Details page.

5. In the Key Version area, click Configure Rotation Policy;

6. In the Configure Rotation Policy dialog box, select the rotation period, including 30 days, 90 days, 180 days, or Customize.

7. After the automatic rotation policy is configured, the next rotation time of the key will be displayed. Click OK.

8. You can change the rotation cycle or cancel the rotation policy using the same steps.

Create a Key Version (Asymmetric Keys)

1. Log in to the KMS console;

2. In the navigation bar at the top of the page, select the area where the key is located.

3. In the left navigation bar, click KMS to enter the key list.

4. Locate the asymmetric key and click the key ID to go to the Key Details page.

5. In the Key Version area, click Create Key Version;

6. Click OK in the pop-up dialog box.

7. In the key version list, view the key version ID and creation date. Click View Public Key. In the pop-up dialog box, you can copy or download the public key.

Key Management Service