| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-04-03 |
automatic key rotation, set rotation policy, policy-based, key rotation |
key-protect |
{:shortdesc: .shortdesc} {:codeblock: .codeblock} {:screen: .screen} {:new_window: target="_blank"} {:pre: .pre} {:tip: .tip} {:note: .note} {:important: .important}
{: #set-rotation-policy}
You can set an automatic rotation policy for a root key by using {{site.data.keyword.keymanagementservicefull}}. {: shortdesc}
When you set an automatic rotation policy for a root key, you shorten the lifetime of the key at regular intervals, and you limit the amount of information that is protected by that key.
You can create a rotation policy only for root keys that are generated in {{site.data.keyword.keymanagementserviceshort}}. If you imported the root key initially, you must provide new base64 encoded key material to rotate the key. For more information, see Rotating root keys on-demand. {: note}
Want to learn more about your key rotation options in {{site.data.keyword.keymanagementserviceshort}}? Check out Comparing your key rotation options for more information. {: tip}
{: #manage-policies-gui}
If you prefer to manage policies for your root keys by using a graphical interface, you can use the {{site.data.keyword.keymanagementserviceshort}} GUI.
-
Log in to the {{site.data.keyword.cloud_notm}} console
{: new_window}. -
Go to Menu > Resource List to view a list of your resources.
-
From your {{site.data.keyword.cloud_notm}} resource list, select your provisioned instance of {{site.data.keyword.keymanagementserviceshort}}.
-
On the application details page, use the Keys table to browse the keys in your service.
-
Click the ⋯ icon to open a list of options for a specific key.
-
From the options menu, click Manage policy to manage the rotation policy for the key.
-
From the list of rotation options, select a frequency of rotation in months.
If your key has an existing rotation policy, the interface displays the key's existing rotation period.
-
Click Create policy to set the policy for the key.
When it's time to rotate the key based on the rotation interval that you specify, {{site.data.keyword.keymanagementserviceshort}} automatically replaces the root key with new key material.
{: #manage-rotation-policies-api}
{: #view-rotation-policy-api}
For a high-level view, you can browse the policies that are associated with a root key by making a GET call to the following endpoint.
https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies
{: codeblock}
-
Retrieve the rotation policy for a specified key by running the following cURL command.
curl -X GET \ https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \ -H 'content-type: application/vnd.ibm.kms.policy+json'{: codeblock}
Replace the variables in the example request according to the following table.
Table 1. Describes the variables that are needed to create a rotation policy with the {{site.data.keyword.keymanagementserviceshort}} API Variable Description key_ID Required. The unique identifier for the root key that has an existing rotation policy. region Required. The region abbreviation, such as us-southoreu-gb, that represents the geographic area where your {{site.data.keyword.keymanagementserviceshort}} service instance resides. For more information, see Regional service endpoints.IAM_token Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAMtoken, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID Required. The unique identifier that is assigned to your {{site.data.keyword.keymanagementserviceshort}} service instance. For more information, see Retrieving an instance ID. correlation_ID The unique identifier that is used to track and correlate transactions. A successful
GET api/v2/keys/{id}/policiesresponse returns policy details that are associated with your key. The following JSON object shows an example response for a root key that has an existing rotation policy.{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.policy+json" }, "resources": [ { "id": "a1769941-9805-4593-b6e6-290e42dd1cb5", "rotation": { "interval_month": 1 }, "createdby": "IBMid-503CKNRHR7", "createdat": "2019-03-06T16:31:05Z", "updatedby": "IBMid-503CKNRHR7", "updatedat": "2019-03-06T16:31:05Z" } ] }{:screen}
The
interval_monthvalue indicates the key rotation frequency in months.
{: #create-rotation-policy-api}
Create a rotation policy for your root key by making a PUT call to the following endpoint.
https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies
{: codeblock}
-
Create a rotation policy for a specified key by running the following cURL command.
curl -X PUT \ https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \ -H 'content-type: application/vnd.ibm.kms.policy+json' \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "rotation": { "interval_month": <rotation_interval> } } ] }'{: codeblock}
Replace the variables in the example request according to the following table.
Table 1. Describes the variables that are needed to create a rotation policy with the {{site.data.keyword.keymanagementserviceshort}} API Variable Description key_ID Required. The unique identifier for the root key that you want to create a rotation policy for. region Required. The region abbreviation, such as us-southoreu-gb, that represents the geographic area where your {{site.data.keyword.keymanagementserviceshort}} service instance resides. For more information, see Regional service endpoints.IAM_token Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAMtoken, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID Required. The unique identifier that is assigned to your {{site.data.keyword.keymanagementserviceshort}} service instance. For more information, see Retrieving an instance ID. correlation_ID The unique identifier that is used to track and correlate transactions. rotation_interval Required. An integer value that determines the key rotation interval time in months. The minimum is 1and the maximum is12.A successful
PUT api/v2/keys/{id}/policiesresponse returns policy details that are associated with your key. The following JSON object shows an example response for a root key that has an existing rotation policy.{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.policy+json" }, "resources": [ { "id": "a1769941-9805-4593-b6e6-290e42dd1cb5", "rotation": { "interval_month": 1 }, "createdby": "IBMid-503CKNRHR7", "createdat": "2019-03-06T16:31:05Z", "updatedby": "IBMid-503CKNRHR7", "updatedat": "2019-03-06T16:31:05Z" } ] }{:screen}
{: #update-rotation-policy-api}
Update an existing policy for a root key by making a PUT call to the following endpoint.
https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies
{: codeblock}
-
Replace the rotation policy for a specified key by running the following cURL command.
curl -X PUT \ https://<region>.kms.cloud.ibm.com/api/v2/keys/<key_ID>/policies \ -H 'authorization: Bearer <IAM_token>' \ -H 'bluemix-instance: <instance_ID>' \ -H 'correlation-id: <correlation_ID>' \ -H 'content-type: application/vnd.ibm.kms.policy+json' \ -d '{ "metadata": { "collectionType": "application/vnd.ibm.kms.policy+json", "collectionTotal": 1 }, "resources": [ { "type": "application/vnd.ibm.kms.policy+json", "rotation": { "interval_month": <new_rotation_interval> } } ] }'{: codeblock}
Replace the variables in the example request according to the following table.
Table 1. Describes the variables that are needed to create a rotation policy with the {{site.data.keyword.keymanagementserviceshort}} API Variable Description key_ID Required. The unique identifier for the root key that you want to replace a rotation policy for. region Required. The region abbreviation, such as us-southoreu-gb, that represents the geographic area where your {{site.data.keyword.keymanagementserviceshort}} service instance resides. For more information, see Regional service endpoints.IAM_token Required. Your {{site.data.keyword.cloud_notm}} access token. Include the full contents of the IAMtoken, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.instance_ID Required. The unique identifier that is assigned to your {{site.data.keyword.keymanagementserviceshort}} service instance. For more information, see Retrieving an instance ID. correlation_ID The unique identifier that is used to track and correlate transactions. new_rotation_interval Required. An integer value that determines the key rotation interval time in months. The minimum is 1and the maximum is12.A successful
PUT api/v2/keys/{id}/policiesresponse returns updated policy details that are associated with your key. The following JSON object shows an example response for a root key with an updated rotation policy.{ "metadata": { "collectionTotal": 1, "collectionType": "application/vnd.ibm.kms.policy+json" }, "resources": [ { "id": "a1769941-9805-4593-b6e6-290e42dd1cb5", "rotation": { "interval_month": 2 }, "createdby": "IBMid-503CKNRHR7", "createdat": "2019-03-06T16:31:05Z", "updatedby": "IBMid-820DPWINC2", "updatedat": "2019-03-10T12:24:22Z" } ] }{:screen}
The
interval_monthandupdatedatvalues are updated in the policy details for the key. If a different user updates a policy for a key that you created initially, theupdatedbyvalue also changes to show the identifier for the person who sent the request.