Recommendation on the best approach for rotation

[iamyohann]

Should we use Tinkey (java based) or the golang keyset manager in Go https://github.com/google/tink/blob/master/go/keyset/manager.go

We plan on automating key rotation, and we're wondering whether to programatically call the Java code or Golang code...

Can we get some info on maturity, compatibility guarantees etc.... so we can make an informed choice on the best approach...

[juergw]

The functionality offered by the keyset manager in Golang and the Tinkey command line tool are very similar. And the serialization of the keysets are compatible, so any keyset (or encrypted keyset) produced with Tinkey is readable by the golang keyset package, and vice versa.

So, it really is up to you to choose which way you prefer. One thing that we recommend however is that you keep your key managment code and your production code that uses the keys separate.

There are some functionalities that are missing in both, for example importing existing keys. We have plans to extend the API in golang similar to what we already did in Java (see KeysetHandle.Builder in https://github.com/tink-crypto/tink-java/blob/main/src/main/java/com/google/crypto/tink/KeysetHandle.java). The resulting API will still be compatible to what the keyset manager currently does.