- AWS KMS supports the following features that permit key rotation without restarting Airlock IAM:
- Every key must have an ARN (Amazon Resource Name) assigned, to identify the key externally.
- Optionally a key can also have a unique alias assigned. The alias itself is also an ARN.
When configuring E2EE in Airlock IAM it is possible to use either key identifiers or aliases in the configuration.
- To support key rotation it is recommended to always use aliases and then follow these steps:
- Generate a new key or key pair in the AWS KMS management UI.
- Reassign the alias from the currently used key to the newly generated key.
- Keep the old key in AWS KMS.
After these steps, all newly stored password hashes will use the new key material for encryption. Existing password hashes will continue to work since the data stored in the database contains both the encrypted password hash and the key identifier that points to the key material used during encryption.
E2EE between a client and IAM will immediately switch to the new key since the client receives the public key during the initial phase of the E2EE protocol.