Skip to main content

Version management

Key rotation

Key rotation is the process of periodically changing encryption keys to enhance security and reduce potential risks. Rotation minimizes damage even if a key is compromised and protects data from brute-force attacks and other threats.
There are two types of rotation: automatic and manual.

Configure automatic rotation

You can enable automatic rotation when creating a key or update the setting for an existing key.
When you configure a rotation cycle (e.g., 365 days), KMS automatically generates a new version of the key at each cycle, and the new version becomes the default.
All new encryption requests always use the latest version of the key.

  1. Go to KakaoCloud Console > Security > KMS.
  2. In the User keys menu, select the resource to configure automatic rotation.
  3. In the action group menu at the top, click [Configure Automatic rotation] or choose More > Automatic rotation from the customer key row.
    • On the resource detail page, you can also access this from the action group menu in the header area.
  4. Choose whether to enable or disable automatic rotation. If enabled, set the rotation cycle.
    • The rotation cycle can be set from 1 day to 1,095 days.
    • The console default is 365 days.
    • Automatic rotation is executed at 00:00 on the scheduled date.
  5. After configuration, click [Save].

Manual rotation

If a new key version is required immediately due to security policy, you can perform a [Manual rotation]. Manual rotation instantly generates a new version, sets it to Active, and makes it the default version.

  1. Go to KakaoCloud Console > Security > KMS.
  2. In the User keys menu, select the resource to rotate manually.
  3. In the action group menu at the top, click [Manual rotation] or choose More > Manual rotation from the customer key row.
    • On the resource detail page, you can also access this from the action group menu in the header area.
  4. Click [Rotate].

Manage version states

You can change the state of key versions to control encryption policies. For example, you can temporarily stop using the latest version or destroy versions no longer needed.

View versions

  1. Go to KakaoCloud Console > Security > KMS.
  2. In the User keys menu, click the name of the key whose version information you want to view.
    • Service keys do not provide detailed information.
  3. On the key detail page, click the Versions tab to view the following:
    ItemDescription
    VersionA unit of encryption data belonging to one key. A new version is created whenever a rotation occurs.
    - The latest version is always used for encryption. For decryption, KMS automatically identifies the correct version based on information in the ciphertext, so you do not need to specify or manage versions.
    StatusIndicates the current availability of the version.
    - Displayed as Active, Deactivated, or Destroyed.
    Created atDate and time when the version was first created.
    Destroyed atDate and time when the version was destroyed. If scheduled for destruction, (Scheduled) is appended.

Deactivate

Only the latest version can be Active and used for encryption. Older versions created through rotation are automatically set to Deactivated and used only for decryption.
Administrators can deactivate the latest version to temporarily block all new encryption operations using that key.

caution

A deactivated version cannot be restored to Active.

  1. Go to KakaoCloud Console > Security > KMS.
  2. In the User keys menu, click the name of the key whose version state you want to change.
  3. On the key detail page, click the Versions tab.
  4. Select the latest version and click [Deactivate] at the top of the list, or choose More > Deactivate from the version row.
  5. In the Deactivate Version modal, click [Deactivate].

Destroy

You can permanently destroy key versions that are no longer needed.
Destroyed versions cannot be used for any cryptographic operations, including decryption.
To prevent accidental data loss and provide recovery time, a grace period of 7–30 days is applied. This allows users to cancel a destruction request if it was accidental or malicious.

caution
  • Once destroyed, a version cannot be recovered by any means, and data encrypted with it cannot be decrypted.
  • When a destruction schedule is set, the version is marked as Deactivated and cannot be restored to Active.
  • Before scheduling destruction, ensure there is no critical data encrypted with the version.
  1. Go to KakaoCloud Console > Security > KMS.
  2. In the User keys menu, click the name of the key whose version state you want to change.
  3. On the key detail page, click the Versions tab.
  4. Select the version to destroy and click [Reserve destruction] at the top, or choose More > Reserve destruction from the version row.
    • Only Active or Deactivated versions can be scheduled for destruction.
  5. In the modal, set the grace period, confirm the warning, and click [Destroy].
    • A scheduled version becomes Deactivated.
    • A deactivated version cannot be restored to Active.
  6. To cancel a scheduled destruction, select the version and click [Cancel destruction reservation] at the top, or choose More > Cancel destruction reservation from the version row.
    • If a destruction schedule is active, only cancellation is possible.

View service keys

  1. Go to KakaoCloud Console > Security > KMS.

  2. In the Service Keys menu, you can view the following items:

    ItemDescription
    ServiceThe name of the KakaoCloud service that created and uses the key (e.g., Secrets Manager).
    NameA name automatically assigned by the system to identify the key.
    - To distinguish it from user keys, it starts with uppercase letters, and spaces are replaced with hyphens (-). (e.g., Secrets-manager)
    StatusIndicates whether the key is currently available. Displayed as Pre-activation, Active, or Deactivated.
    Default versionThe version number currently used for encryption. New data is always encrypted with this version.
    Automatic rotationIndicates whether automatic rotation is enabled.
    - If enabled, the configured cycle is shown; if disabled, it displays Not in use.
    - Service keys are rotated automatically every 365 days.
    Last rotation timeDate and time when the last rotation occurred and a new version was generated.
    Next rotation timeDate and time of the next scheduled automatic rotation.
    Created atDate and time when the service key was first created.