Key lifecycle policies
Objective
Key lifecycle policies objective:
Control how often active encryption keys are rotated to reduce exposure and meet compliance requirements.
Control how long inactive keys and historical versions remain recoverable
Permanently destroy cryptographic keys after a defined grace period.
Functions
1. Rotation settings
Set the key rotation interval.
Apply it to all existing keys.

2. Retention settings
Defines the recovery window for disabled keys and historical versions before permanent deletion.
Keys remain recoverable during the retention period and become eligible for scheduled destruction once expired.

3. Scheduled destruction
Enables permanent deletion of cryptographic keys after a mandatory day grace period.
Ensures no immediate deletion, allowing keys to be recovered until the scheduled destruction date.

4. Dormant key detection
Dormant key detection automatically monitors key usage and classifies keys as idle or dormant when they have not been used within a defined period — helping you identify unused keys and take action before they become a security risk.
To configure, set the Idle threshold (number of inactive days before a key is marked idle) and the Dormant threshold (number of inactive days before a key is marked dormant). Dormant threshold must be greater than Idle threshold. Changes take effect on the next backend detection run.

Last updated