Key Rotation is the process of replacing existing Keys
Why Key Rotation#
- Encryption stales - Sometimes it’s just a matter of time (DES was awesome in 1977. Now, not so much). So if your encryption algorithm can be broken in N years, you probably want to rotate it in some period smaller than N, no?
And yeah, N isn’t necessarily “heat death of the universe” because you’re using 4096-bit keys. Things change — key leaks, quantum encryption, NSA loopholes, whatever. The safe thing to do is just rotate your signing key — and, potentially, the algorithm too !— every so often (••)
- Keys Leak - It happens, and for a host of reasons including state-actors. In either case, keys do leak. The safe thing to do is rotate your encryption key every so often, so that when keys do get compromised, the amount of data that you lost isn’t, well, Everything.
- Straight up attacks. For many (most?) encryption algorithms, the more data you gather, the easier it is to break. A prominent example is AES GSM, that loses it’s protection-fu if more than 64GB of data is encrypted with the same key
There might be more information for this subject on one of the following: