← Lessons

quiz vs the machine

Gold1450

System Design

Key Rotation and Management

Replacing cryptographic keys on a schedule without breaking decryption of old data.

5 min read · core · beat Gold to climb

Why keys must change

A cryptographic key in use for years accumulates exposure risk. Key rotation replaces it periodically so a compromised key has a bounded lifetime. The challenge is rotating without losing access to data encrypted under old keys.

Envelope encryption

The common pattern is envelope encryption. Data is encrypted with a data key, and the data key is itself encrypted by a master key kept in a key management service. Rotating the master key only re encrypts the small data keys, not all the data.

Doing rotation safely

  • Keep old keys available for decryption while new data uses the new key.
  • Track which key version encrypted each object so the right key is selected on read.
  • Use a managed key store with access control and audit, never raw keys in config.

Key idea

Envelope encryption lets you rotate a master key cheaply by re encrypting data keys, while keeping old key versions for decrypting existing data.

Check yourself

Answer to earn rating on the learn ladder.

1. What does envelope encryption make cheap to rotate?

2. Why keep old key versions after rotation?