Security and platform engineering teams
Key Manager: How to Create, Rotate, and Use Encryption Keys
Manage key lifecycle in the key management service for data encryption and application signing workloads.
10 min read · Updated 2026-04-01
Prerequisites
- • Project access to key management service
- • IAM policies for key administrators and key users
- • Application integration plan for key retrieval and rotation
Implementation workflow
This runbook focuses on a reliable sequence for provisioning and validating the service through the cloud console.
- Open Security > Key Manager and create a new symmetric or asymmetric key.
- Set ownership, metadata, and usage policy constraints.
- Integrate key references into the consuming service or application.
- Create a rotation schedule and issue a new key version.
- Re-encrypt or re-sign workloads, then deprecate old key material.
Validation and operator checks
After deployment, verify connectivity, security boundaries, and backup posture before promoting workloads to production.
Operator tips
- • Split duties between key creation, approval, and usage roles.
- • Test key rotation in staging to validate application compatibility.
- • Record key lineage and retirement events for compliance evidence.