Clarification on key rotation in gcp

Question

I have to implement a policy of rotation for our KEK used in GCP and i have doubts about the management of old keys. We have implemented an external key management service in BYOK/EKM mode and KEKs are used for GCE, GCS, GKE, and Sql services. Our doubts concern the future usefulness of Rotated keys. I would like to proceed as follows: Rotate key and Disable Old Key . Operations will be performed by our key management system. I am not sure what happens as a result in GCP.

In the future, might GCP services need the old key to work? or can I delete it from my key management system?

Answer 1

You can use Cloud KMS for your key rotation, it supports both auto and manual rotation policies once the new keys are updated in the bucket, Cloud KMS will use these new keys for the resources that are going to be created and your old keys won't get disabled or deleted and will remain in the storage bucket. So, you don’t have to worry about accessing the resources which are encrypted using the old keys.

However, if you want to delete your old keys first you can replace them, follow the guidelines on key replacement from this official document:

• Check your buckets to see which use the key as their default encryption key. For these buckets, replace the old key with a new key. This ensures that all objects written to the bucket use the new key going forward.

• Inspect your source code to understand which requests use the key in ongoing operations, such as setting bucket configurations and uploading, copying, or rewriting objects. Update these instances to use the new key.

• Check for objects, in all of your buckets, encrypted with the old key. Use the Rewrite Object method to re-encrypt each object with the new key.

• Disable all versions of the old key. After disabling old key versions, monitor client and service logs for operations that fail due to a version becoming unavailable.

Note: The guidelines above are taken from the official Google documentation.