Key Rotation
QNSP supports automatic and manual key rotation.
Key Rotation
QNSP supports automatic and manual key rotation.
Rotation Triggers
- Scheduled: Based on rotation period
- Manual: Admin-initiated
- Policy: Usage count exceeded
- Security: Suspected compromise
Rotation process
- Generate new key version
- Mark old version as
decrypt-only - New encryptions use new version
- Gradual re-encryption of existing data (optional)
- Old version deactivated after grace period
Key versions
Keys maintain version history:
{
"keyId": "key-uuid",
"currentVersion": 3,
"versions": [
{"version": 1, "state": "destroyed"},
{"version": 2, "state": "deactivated"},
{"version": 3, "state": "active"}
]
}
Automatic rotation
Configure rotation schedule:
{
"rotationPeriod": "90d",
"autoRotate": true,
"retainVersions": 3
}
Re-encryption
After rotation, existing ciphertext can be re-encrypted:
POST /kms/v1/reencrypt
{
"keyId": "key-uuid",
"ciphertext": "old-ciphertext"
}
Returns ciphertext encrypted with current version.
Rotation audit
Rotation events are logged:
- Old version ID
- New version ID
- Trigger reason
- Initiator