Skip to main content

Rotate a key

Key rotation enables you to create a new version of a key, replacing the current version. By default, rotating a key will result in the "current" version being transitioned to the "deactivated" state.

Manual Rotation

A key can be manually rotated at any time. During manual rotation, you can choose to provide the key material for the new version of the key or let the Vault service automatically generate the new key. Additionally, a target state for rotation can be provided to which the current key is transitioned.


import os

import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services import Vault


def rotate_key(key_id, target_state):
    token = os.getenv("PANGEA_VAULT_TOKEN")
    domain = os.getenv("PANGEA_DOMAIN")
    config = PangeaConfig(domain=domain)
    vault = Vault(token, config=config)

    try:
        # rotate key
        # providing a rotation_state is optional
        # key material could be provided, if not key is generated by Vault
        vault.key_rotate(key_id, rotation_state=target_state)

        # retrieve latest version
        retrieve_response = vault.get(key_id)

    except pe.PangeaAPIException as e:
        print(f"Vault Request Error: {e.response.summary}")
        for err in e.errors:
            print(f"\t{err.detail} \n")

    # can return public key if rotated key is asymmetric
    return retrieve_response.result.current_version.public_key

Rotation policies

Rotation policies allow you to configure the automatic rotation of keys at scheduled intervals. Once configured, a rotation policy will automatically generate the new key material as part of the rotation process.

Configure a rotation policy

A key rotation policy can be provided at the time of generating or importing a key, or it can be provided as part of a key update. A rotation policy allows you to set an interval over which a key is automatically rotated with the new key version generated by the Vault service. Only a target state of "deactivated" or "destroyed" may be provided during automated key rotation.

The format for rotation interval is <number><units>, with allowed units being "days," "months," and "years."


import os

import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services import Vault


def configure_rotation_policy(key_id, interval, target_state):
    token = os.getenv("PANGEA_VAULT_TOKEN")
    domain = os.getenv("PANGEA_DOMAIN")
    config = PangeaConfig(domain=domain)
    vault = Vault(token, config=config)

    try:
        # configure rotation policy
        # example rotation frequency "1year"
        vault.update(
            key_id,
            rotation_frequency=interval,
            rotation_state=target_state
        )

    except pe.PangeaAPIException as e:
        print(f"Vault Request Error: {e.response.summary}")
        for err in e.errors:
            print(f"\t{err.detail} \n")

    return

Was this article helpful?

Contact us