Key Rotation is the process of creating a new version of an encryption key while retaining older key versions for decrypting existing data.
When a new key version is created in ESKM, the previously created key versions are retained and continue to be used for decrypting existing data. The newly created key version becomes the current (default) key for encrypting new data.
This capability enables the creation of a new version of the key on-demand for the purposes of compliance or suspected compromise without changing the key ID or disrupting active cloud applications.
To rotate a key in AWS BYOK:
-
After creating a new version of the encryption key, go to the Actions column for the key.
-
Select Upload to upload the new key version to the AWS BYOK console.
For detailed steps, see Upload Key from ESKM to AWS-BYOK.