Spartak - Fotolia


The benefits of encryption key rotation for cloud users

Encryption key rotation is suggested for enterprises working in the cloud. Expert Dave Shackleford discusses the benefits of key rotation, key management options and some best practices.

Security experts recommend changing passwords and even logins on a regular basis, but with a growing amount of...

data and applications being moved to the cloud, is it time to apply a similar practice to encryption keys ? And if so, what are the best ways to do it? In this tip, we'll explore methods of encryption key rotation, the benefits of rotating keys, and some basic best practices to help perform and manage the process.

The benefits of encryption key rotation

First, why would an organization consider rotating encryption keys in the first place? The benefits of key rotation are all centered on security. The simplest reason might be that a person who had access to the master key left the organization and the company needs to ensure key access is secure once they're gone. Another reason might be that there is reason to believe the master key has been compromised. Internal policies and processes may require key rotation, or compliance mandates may dictate that keys are rotated, as well. Finally, an accident may occur -- such as offline backups that include the key being lost -- that requires a change to ensure the key doesn't fall into the wrong hands.

Methods of encryption key rotation

Companies can encrypt data in-house and control the keys before the data goes into the cloud.

There are several approaches to key management and rotation in cloud service environments. Consumers and businesses can encrypt data in-house and control the keys before the data goes into the cloud. Alternately, many cloud service providers offer a variety of encryption options today, and some allow for key rotation to be managed by the company. For example, Amazon RedShift allows users to initiate a key rotation action for any keys managed in RedShift or a dedicated hardware security module within the Amazon environment. The process is made simple through the RedShift console, the Amazon Web Services command line interface or AWS application program interface (API) calls.

However, rotating keys in other AWS services is not as simple. For example, Elastic Block Storage (EBS) requires that new keys be created with a new EBS volume before the old keys can be removed. Amazon Simple Storage Service (S3) storage can leverage in-house encryption keys for API calls made with the S3 encryption client. Some cloud services do not offer users the opportunity to perform any encryption key management, so the provider manages the keys and rotation altogether.

There are many new cloud service offerings and traditional encryption management options that are able to readily handle both key management and rotation for cloud service offerings. Companies like Porticor and KeyNexus offer encryption key management services that directly integrate with well-known cloud providers like AWS, Rackspace and Microsoft Azure. These key management services allow for split-key access or full key pass-through from internal keystores to a variety of cloud services via APIs and other methods, and support simple, accessible key rotation directly through the management consoles. Vaultive offers an on-premises key management gateway that integrates with in-house key management tools and storage platforms. It also allows for automated key rotation schedules using new keys kept entirely in the company's data center. Ciphercloud offers a similar service as a cloud encryption gateway for Box, Office 365, AWS and other popular cloud services, and includes simple key rotation tools.

Best practices for encryption key rotation

What sort of best practices should organizations follow when they're looking to implement key rotation for cloud data and systems? First, they should rotate keys on a regular basis. For some compliance requirements, such as PCI DSS, keys must be rotated once per year. If possible, rotating them quarterly is better. Ideally, users should look for key management options that allow for simple key replacement and integration with cloud provider services that they need to access. Maintaining control over the keys in the data center is ideal, but having a split key between the internal data center and a cloud key management service provider is another reasonable option that balances security and flexibility.


Any organization using encryption should plan to rotate keys, whether it's implementing cloud services or not. The good news is that many new encryption and key management options are now available for both on-premises and cloud-based key rotation, which should help security and operations teams get this done more simply.

About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book
Virtualization Security: Protecting Virtualized Environments, as well as the co-author of Hands-On Information Security from Course Technology. Recently, he co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Next Steps

Dave Shackelford reviews even more cloud encryption key management best practices.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices