Key vault has an
automated key rotation feature that will automatically generate a new key version.
Rotation policy can be used to set rotation for individual keys. It is recommended that the encryption keys be changed at least
every two years.
This feature allows
end-to-end zero-touch rotation for the customer-managed key in the azure key vault. There is an additional cost for each scheduled key rotation.
Key management permission is required for the Key Vault key rotation feature. You can assign a role to manage rotation policy and on-demand rotation.
Users can use the key rotation policy to set rotation and event grid notifications.
It's used to set an expired date on a new key. It doesn't affect the current key.
There is a flag that can be enabled or disabled for the key.
- You can automatically renew at a given time after creation.
- You can automatically renew at a given time before expiry.
The minimum value is seven days from creation and seven days from the end of the rotation.
The key is near the end of the event interval.
Key rotation policy should be configured
during key creation.
The rotation policy should be configured on the existing keys.
Key rotation can be invoked manually. To invoke rotation, click
The event grid key has a configuration of expiry notification. Notification can be configured with days, months and years before the event.
Key rotation can be configured with the ARM template. Key rotation policy can be configured using templates.
Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.