Configure key auto-rotation in Azure Managed HSM
Overview
Note
Key auto-rotation requires the Azure CLI version 2.42.0 or above.
Automated key rotation in Managed HSM allows users to configure Managed HSM to automatically generate a new key version at a specified frequency. You can set a rotation policy to configure rotation for each individual key and optionally rotate keys on demand. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices. For additional guidance and recommendations, see NIST SP 800-57 Part 1.
This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed keys (CMK) stored in Azure Managed HSM. Please refer to specific Azure service documentation to see if the service covers end-to-end rotation.
Pricing
Managed HSM key rotation is offered at no extra cost. For more information on Managed HSM pricing, see Azure Key Vault pricing page
Warning
Managed HSM has a limit of 100 versions per key. Key versions created as part of automatic or manual rotation count toward this limit.
Permissions required
Rotating a key or setting a key rotation policy requires specific key management permissions. You can assign the "Managed HSM Crypto User" role to get sufficient permissions to manage rotation policy and on-demand rotation.
For more information on how to configure Local RBAC permissions on Managed HSM, see: Managed HSM role management
Note
Setting a rotation policy requires the "Key Write" permission. Rotating a key on-demand requires "Rotation" permissions. Both are included with the "Managed HSM Crypto User" built-in role
Key rotation policy
The key rotation policy allows users to configure rotation intervals and set the expiration interval for rotated keys. It must be set before keys can be rotated on-demand.
Note
Managed HSM does not support Event Grid Notifications
Key rotation policy settings:
- Expiry time: key expiration interval (minimum 28 days). It is used to set expiration date on a newly rotated key (e.g. after rotation, the new key is set to expire in 30 days).
- Rotation types:
- Automatically renew at a given time after creation
- Automatically renew at a given time before expiry. 'Expiration Date' must be set on the key for this event to fire.
Warning
An automatic rotation policy cannot mandate that new key versions be created more frequently than once every 28 days. For creation-based rotation policies, this means the minimum value for timeAfterCreate
is P28D
. For expiration-based rotation policies, the maximum value for timeBeforeExpiry
depends on the expiryTime
. For example, if expiryTime
is P56D
, timeBeforeExpiry
can be at most P28D
.
Configure a key rotation policy
Azure CLI
Write a key rotation policy and save it to a file. Use ISO8601 Duration formats to specify time intervals. Some example policies are provided in the next section. Use the following command to apply the policy to a key.
az keyvault key rotation-policy update --hsm-name <hsm-name> --name <key-name> --value </path/to/policy.json>
Example policies
Rotate the key 18 months after creation and set the new key to expire after two years.
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "P18M",
"timeBeforeExpiry": null
},
"action": {
"type": "Rotate"
}
}
],
"attributes": {
"expiryTime": "P2Y"
}
}
Rotate the key 28 days before expiration and set the new key to expire after one year.
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": null,
"timeBeforeExpiry": "P28D"
},
"action": {
"type": "Rotate"
}
}
],
"attributes": {
"expiryTime": "P1Y"
}
}
Remove the key rotation policy (done by setting a blank policy)
{
"lifetimeActions": [],
"attributes": {}
}
Rotation on demand
Once a rotation policy is set for the key, you can also rotate the key on-demand. You must set a key rotation policy first.
Azure CLI
az keyvault key rotate --hsm-name <hsm-name> --name <key-name>