Support Questions

Find answers, ask questions, and share your expertise

KMS Key roll excess versions

avatar
Contributor

After rolling a key, another version is created, in effect a new key, but same name. After re-encrypting the DEK for the encryption zone, what becomes of the old key version? Does the number just grow and sit there? There does not appear to be a delete except for the key itself.

3 REPLIES 3

avatar
Contributor

Hello,

 

The key version is stored in the metadata so that the client knows which version of the key to request from the KMS. By incrementing the key version, the old (and incorrect) key is not retrieved when decrypting a file encrypted with the new key. By incrementing the key and not reusing key numbers there is less risk of race conditions and makes it clear to the administrator that the key in use has been incremented.

 

Hope that helps,

 

Michael

avatar
Contributor
Each time you roll a key you get a new key. The short name is a pointer to the latest, but when deleting a key, it refers to all keys prefaced by the name. If the name is in use, there is no way to delete a key version, even though the key version is not in use. If you roll your keys daily, you end up with 364 keys you cannot delete.

avatar
Contributor

I misunderstood the original question. I understand what you are asking, now. I do not know if there is a way to clear out the old keys. They don't use much storage space so I've never heard of anyone having an issue with that.

 

Michael