To use key rotation correctly, we strongly suggest that you:
- Enable automatic key rotation in your key management system.
Determine a suitable frequency for your key rotation. This depends on how sensitive your data is, how many messages you need to encrypt, and whether you have to coordinate the rotation with external partners.
- For symmetric encryption, use 30- to 90-day keys.
- For asymmetric encryption, the rotation frequency can be lower, but only if you can securely revoke keys.
Learn more in the documentation for your KMS:
Why key rotation?
Key rotation is an essential best practice that prevents keys from being extensively reused.
Regular key rotation helps:
- Limit the number of messages encrypted with the same key version.
- Minimize the number of potentially vulnerable messages.
- Ensure your system is resilient.