This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 43%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello,
I understand that Azure provides a facility to encrypt data-at-rest using Platform Managed Keys (PMKs). My question is: what is frequency of key rotation for PMK?
I have an audit request for this and would like to know how often the key is rotated.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
@BryanW Thanks for posting your query on Microsoft Q&A.
Unfortunately, the exact frequency of key rotation for PMKs in Azure may not be publicly disclosed. There is no mention of it in any public documentation.
However, it is worth noting that Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, which allows you to configure key rotation policies for customer-managed keys.
You can set a rotation policy to automatically generate a new key version at a specified frequency. The rotation frequency for DEKs in Azure Disk Encryption can be determined by the user/administrator based on their specific requirements. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
Reference documentation:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
The frequency of key rotation for Platform Managed Keys (PMKs) in Azure depends on the specific service or feature you are using. Azure manages the key rotation process for you, but the actual rotation interval may vary.
In general, Azure follows industry best practices and security standards for key rotation. Microsoft Azure's Key Vault service, for example, automatically rotates the cryptographic keys used for encryption on an annual basis. This ensures that encryption keys are regularly updated to maintain a high level of security.
However, it's important to note that the key rotation frequency may differ for other Azure services or features that utilize PMKs. Some services may have more frequent key rotation schedules based on specific security requirements or compliance regulations.
To obtain the precise information regarding key rotation frequency for a specific Azure service or feature, it is recommended to consult the documentation or reach out to Azure Support. They can provide you with the most up-to-date and accurate information regarding key rotation intervals for the service you are using.
@BryanW Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
@BryanW I have shared an update in the answer after confirming with the Product team.
Checking in to see if the answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread.
And, if you have any further queries, do let us know in the comments.
Update 5/23/2023:
I reached out to the Product team to see if I can get more information on the key rotation frequency for PMK.
They confirmed that- no mention of it in the public documentation is intentional.
There are no plans to share this information publicly. It is a "security by obscurity" scenario. If it is a requirement for customers to have control on the rotation frequency, their recommendation is to use Customer Managed Keys. I hope that helps.
5/18/2023 (Summary from the comment above):
Unfortunately, the exact frequency of key rotation for PMKs in Azure cannot be publicly disclosed.
There is no mention of it in any public documentation.
However, it is worth noting that Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, which allows you to configure key rotation policies for customer-managed keys. You can set a rotation policy to automatically generate a new key version at a specified frequency.
The rotation frequency for DEKs in Azure Disk Encryption can be determined by the user/administrator based on their specific requirements. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.
Reference documentation: https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption#about-encryption-key-management
If you have any other questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.
Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you. This can be beneficial to other community members for remediation for similar issues.