Rotating Key Support

[somejavadev]

Hi,

I would like to know, would the vault-init container support rotating keys as described here: https://cloud.google.com/kms/docs/rotating-keys or should any special care be taken when enabling key rotation?

[sethvargo]

Hi @somejavadev - you can rotate the keys, but AFAIK, Vault only encrypts the initial keys once. You'll create new KMS key versions, but only the first one will actually be used to decrypt the data.

You would need to do the following:

1. Rotate the Cloud KMS key (creating a new key version)
2. Rekey Vault

Enabling a Cloud KMS rotation schedule won't improve your security posture without also regularly re-keying Vault.