As recently announced, Cloud Key Management Service (Cloud KMS) is changing the default
value for the amount of time a key remains in DESTROY_SCHEDULED
state before
being destroyed from 1 day to 30 days. This page provides additional information
about the change and how you can act on it based on your needs.
Overview
When you submit a destruction request for a key version, its
state becomes DESTROY_SCHEDULED
. During that
soft-delete period, you can cancel the destruction request by
restoring the key version. After the key's
configured scheduled-for-destruction duration
has passed, the state of the key version becomes DESTROYED
, and the
key material can't be recovered by customers.
Cloud KMS is changing the default value for the amount of time a key
remains in the DESTROY_SCHEDULED
state before being destroyed from 1 day to
30 days.
This change addresses feedback from various sources which indicated the need for a longer duration. The new default value will help you notice and restore mistakenly destroyed keys before it's too late, thus reducing the overall risk of accidental or malicious key deletion.
Timeline
Date | What is changing? |
---|---|
You can use the opt out procedure to keep the default scheduled duration of all existing keys (created before Feb 1, 2024) unchanged. | |
All new keys created with no custom destroy scheduled duration use the new 30 day default duration. | |
If you take no action by this date, existing keys where no custom destroy scheduled duration value is specified will be updated to use the new 30-day default. |
Required actions
Choose the actions from the following list that best meet your needs:
To accept the new default destroy scheduled duration of 30 days for existing keys that use the previous default value of 1 day, you don't need to take any action. Existing keys with a destroy scheduled duration of 1 day will automatically be updated to 30 days. This migration is scheduled to begin on May 1, 2024; the migration is expected to be completed by mid-June 2024.
To accept the new default destroy scheduled duration of 30 days for new keys, you don't need to take any action. New keys with no custom destroy scheduled duration specified will be created using the default value of 30 days. You can dismiss the banner in the Google Cloud console.
To retain the previous destroy scheduled duration of 1 day for existing keys (created before February 1, 2024), opt out of updating the default destroy scheduled duration. For detailed instructions, see Opt out of updating existing keys on this page.
To retain the previous destroy scheduled duration of 1 day for new keys, specify 1 day as the destroy scheduled creation during key creation. Set the destroy scheduled duration for all keys created on or after February 1, 2024. For detailed instructions, see Set the duration of the 'scheduled for destruction' state.
Opt out of updating existing keys
To keep the old default for your existing keys, you can opt out your project through the Google Cloud console or gcloud CLI by May 1, 2024.
- Grant yourself the new
cloudkms.locations.optOutKeyDeletionMsa
IAM permission. Note that this permission is also part of the existingcloudkms.admin
IAM role. Opt out, using any of these methods:
Use the banner on the Key Management page on the Google Cloud console.
Run the
kms key-deletion-opt-out
command to opt out individual projects:gcloud alpha kms key-deletion-opt-out --project=projects/PROJECT_ID
Replace
PROJECT_ID
with the ID of the project.Use a bash script to run the
kms key-deletion-opt-out
command on all projects in your organization:#!/bin/bash for project_id in $( gcloud asset search-all-resources \ --scope=organizations/ORGANIZATION_ID \ --query="name://cloudresourcemanager.googleapis.com/projects" \ --read-mask=project \ | awk '{ print $2 }' | sed '/^$/d' ); do $(gcloud alpha kms key-deletion-opt-out --project=$project_id) done
Replace
ORGANIZATION_ID
with the ID of your organization.
Undo opt out of updating existing keys
If you opt out by mistake, you can only opt back in using
gcloud CLI, adding the --undo
flag at the end of your command. For
example, for a single project, use the following command to undo the
opt out:
gcloud alpha kms key-deletion-opt-out --project=projects/PROJECT_ID --undo
What's new
- Learn more ways to Control key destruction using organization policies.