Rotating a Vault Key
Rotate a master encryption key.
When you rotate a key, the KMS service generates a new key version. The service can generate the key material for the new key version, or you can import your own key material. When importing a key you must use a wrapping key to wrap the key material. However, you can't create, delete or rotate a wrapping key. For more information about key rotation, see Overview of Vault.
Open a command prompt and run
oci kms management key rotate
to rotate a keyoci kms management key rotate --key-id <target_key_id> --endpoint <vault_specific_management_endpoint_url
For example:
oci kms management key rotate --key-id ocid1.key.region1.sea.exampleaaacu2.examplesmtpsuqmoy4m5cvblugmizcoeu2nfc6b3zfaux2lmqz245gezevsq --endpoint https://exampleaaacu2-management.kms.us-ashburn-1.oraclecloud.com
Cryptographic operations involving objects that were encrypted with the previous version of this key will continue to use the older key version. You can re-encrypt those objects with the current key version if you prefer.
For a complete list of parameters and values for CLI commands, see KMS CLI Command Reference.
Run the KeyVersion operation to get information about a specific master encryption key using the KMSMANAGMENT endpoint.
Note
Each region uses the KMSMANAGMENT endpoint for create, update, and list operations for keys. This endpoint is referred to as the control plane URL or vault management endpoint. Each region also has a unique endpoint for operations related to retrieving vault details. This endpoint is known as the data plane URL or the secret retrieval endpoint. For regional endpoints, see the API Documentation.For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.