Key lifecycle policies

Objective

Key lifecycle policies objective:

  • Control how often active encryption keys are rotated to reduce exposure and meet compliance requirements.

  • Control how long inactive keys and historical versions remain recoverable

  • Permanently destroy cryptographic keys after a defined grace period.

Functions

1. Rotation settings

  • Set the key rotation interval.

  • Apply it to all existing keys.

2. Retention settings

  • Defines the recovery window for disabled keys and historical versions before permanent deletion.

  • Keys remain recoverable during the retention period and become eligible for scheduled destruction once expired.

3. Scheduled destruction

  • Enables permanent deletion of cryptographic keys after a mandatory day grace period.

  • Ensures no immediate deletion, allowing keys to be recovered until the scheduled destruction date.

4. Dormant key detection

  • Dormant key detection automatically monitors key usage and classifies keys as idle or dormant when they have not been used within a defined period — helping you identify unused keys and take action before they become a security risk.

  • To configure, set the Idle threshold (number of inactive days before a key is marked idle) and the Dormant threshold (number of inactive days before a key is marked dormant). Dormant threshold must be greater than Idle threshold. Changes take effect on the next backend detection run.

Last updated