Key rotation

This section provides information about ECS Key rotation and the limitations.

ECS supports rotation of keys, a practice of changing keys to limit the amount of data that is protected by any given key to support industry standard practices. It can be performed on demand both through API and user interface, and is designed to minimize the risk from compromised keys.

During key rotation, the system does the following:

  • Creates master key natively or on EKM (if activated).
  • Create rotation key natively.
  • Activate new master and rotation key across all sites in the federation.
  • Once activated, the new master key is used to generate new virtual master key.
  • Once activated, the new rotation key is used to generate new virtual bucket key.
  • The new virtual master key is used to rewrap all rotation and namespace keys.
  • The new virtual bucket key is used to protect all new object keys and associated new data.
  • Rewrapped namespace keys are instrumental in protecting existing data.
  • Data is not reencrypted as a result of key rotation.

To initiate key rotation, select Settings > Key Management > Key Rotation > Rotate Keys.

NOTE:  Rotation is an asynchronous operation, and the latest status of current operation can be seen in the table. The Rotate Keys table also lists the status of previous rotation operations.

Summary of Key Management Changes in ECS 3.6

  • Key management is more robust wherein now both Master Key and Rotation Key are rotated during key rotation.
  • Native and External Key management follow same workflow except that when using EKM master key is external.
  • After 3.6, only one Master key is used in EKM whereas before 3.6, there were Master Key and Rotation Keys in EKM.
  • Even when using EKM, all Rotation keys are internal in ECS. So management is simple.
  • Master key is cached for the lifetime of a service whereas before ECS 3.6 it was evicted.
  • Changes are made to protect keys even when in cache.
NOTE: Native and External Key Management workflow changed in 3.6. To find the changes related to 3.5, see 3.5 Security Guide in


  • Key rotation does not rotate namespace and bucket keys.
  • Only one key rotation request can be active anytime and any other new request fails.
  • Scope of the key rotation is at cluster level so all the new system encrypted objects are affected.
  • Namespace or bucket level rotation is not supported.