Key Rotation and Detection

Key rotation is the practice of periodically replacing a secret with a new one and retiring the old. Even a perfectly stored key benefits from rotation:

• Limits exposure window if a key leaked silently, rotation invalidates it.
• Reduces cryptographic wear less data encrypted under any single key.
• Meets compliance standards like PCI DSS mandate periodic rotation.
• Removes departed access credentials a former employee saw become useless.

The core idea: a secret's value to an attacker decays the more often it changes. Rotation makes a leak a temporary problem instead of a permanent one.

Naive rotation delete the old key, create a new one causes outages, because consumers still holding the old key break instantly. Safe rotation uses overlapping validity:

• 1. Generate a new key alongside the existing one.
• 2. Distribute the new key to all consumers.
• 3. Activate the new key for new operations.
• 4. Grace period both keys remain valid while consumers catch up.
• 5. Retire revoke the old key once nothing uses it.

This two-key overlap is the foundation of zero-downtime rotation.