The likelihood of security incidents increases when cryptographic keys are used for a long time. Thus, to strengthen the data protection it’s
recommended to rotate the symmetric keys created with the Google Cloud Key Management Service (KMS) automatically and periodically. Note that it’s not
possible in GCP KMS to rotate asymmetric keys automatically.
Ask Yourself Whether
- The cryptographic key is a symmetric key.
- The application requires compliance with some security standards like PCI-DSS.
Recommended Secure Coding Practices
It’s recommended to rotate keys automatically and regularly. The shorter the key period, the less data can be decrypted by an attacker if a key is
compromised. So the key rotation period usually depends on the amount of data encrypted with a key or other requirements such as compliance with
security standards. In general, a period of time of 90 days can be used.
Sensitive Code Example
resource "google_kms_crypto_key" "noncompliant-key" { # Sensitive: no rotation period is defined
name = "example"
key_ring = google_kms_key_ring.keyring.id
}
Compliant Solution
resource "google_kms_crypto_key" "compliant-key" {
name = "example"
key_ring = google_kms_key_ring.keyring.id
rotation_period = "7776000s" # 90 days
}
See
