What is use of expiry time and rotation time in rotation policy ?

Question

What is use of expiry time and rotation time in rotation policy ?

Anonymous

Azure Key vault has following three parameters that needs to be set for rotation of key:

Expiry Time
Rotation Time
Notify time
what is significance of each? After reading answer under https://learn.microsoft.com/en-us/answers/questions/1183058/key-vaults-secrets-key-expiration and https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation I am confused between expiry date and rotation policy. Please clarify the same.

1 answer

Your answer

Answer 1

Vahid Ghafarpour 23,385 Volunteer Moderator

Thanks for posting your question in the Microsoft Q&A forum.

You can configure the key with an expiry more than Rotation Time:. This means a new version of the key will be generated, but the old key can still be used until its expiry time.

And if for example, You set a notify time of 30 days. This means you will receive notifications 30 days before the key is scheduled to expire or rotate.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful **

Anonymous

2024-08-22T11:10:33.37+00:00

So suppose I have set expiry time as 12 Months, Rotation time as 1 Month on 1st jan 2024 then does it mean that from 1st feb 2024 there will be two valid keys i.e. keyv1 from 1st jan 2024 which is yet to be expired ( will expire on 1st jan 2025) and keyv2 newly generated on 1st feb 2024 ?

Also should notify time be strictly less than rotation time ?
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-08-26T05:44:23.04+00:00

@Rekhawar, Nilakshi (Corporate, IND) Yes, that's correct. If you set the Expiry Time as 12 months and the Rotation Time as 1 month, then on 1st February 2024, there will be two valid keys: keyv1 that was generated on 1st January 2024 and keyv2 that was generated on 1st February 2024. Keyv1 will remain valid until its Expiry Time on 1st January 2025, while keyv2 will remain valid for 1 month until the next rotation.

Regarding the Notify Time, it is recommended to set it to a value less than the Rotation Time. This is because the purpose of the Notify Time is to give you advance warning that a key or secret is about to expire, so that you can take appropriate action. If the Notify Time is greater than the Rotation Time, then you may not receive a notification before the key or secret is rotated.

For example, if you set the Rotation Time as 1 month and the Notify Time as 2 months, then you will receive a notification 2 months before the Expiry Time, but the key or secret will already have been rotated by then. Therefore, it is recommended to set the Notify Time to a value less than the Rotation Time, such as 1 week or 1 day, depending on your specific requirements.
Anonymous

2024-08-27T10:29:30.21+00:00

Hi, I didn't understand why keyv2 will remain valid for 1 month until the next rotation.

Key is created on 1st Jan 2024

key v1 (expiry = 12Month, rotation= 1Month, notify = 20 Days)

on 1st Feb 2024, v2 is created

key v2 (expiry = 12Month, rotation= 1Month, notify = 20 Days)

on 1st March 2024, v3 is created

key v3 (expiry = 12Month, rotation= 1Month, notify = 20 Days)

so in the month of march won't all 3 keys will be valid ?

Also what is preferred/suggested value to be set for expiry, rotation and notify date ?

Share via

What is use of expiry time and rotation time in rotation policy ?

1 answer

Your answer