As recently announced, Cloud Key Management Service (Cloud KMS) is changing the default
value for the amount of time a key remains in DESTROY_SCHEDULED state before
being destroyed from 1 day to 30 days. This page provides additional information
about the change and how you can act on it based on your needs.
Overview
When you submit a destruction request for a key version, its
state becomes DESTROY_SCHEDULED. During that
soft-delete period, you can cancel the destruction request by
restoring the key version. After the key's
configured scheduled-for-destruction duration
has passed, the state of the key version becomes DESTROYED, and the
key material can't be recovered by customers.
Cloud KMS is changing the default value for the amount of time a key
remains in the DESTROY_SCHEDULED state before being destroyed from 1 day to
30 days.
This change addresses feedback from various sources which indicated the need for a longer duration. The new default value will help you notice and restore mistakenly destroyed keys before it's too late, thus reducing the overall risk of accidental or malicious key deletion.
Timeline
| Date | What is changing? |
|---|---|
| You can use the opt out procedure to keep the default scheduled duration of all existing keys (created before Feb 1, 2024) unchanged. | |
| All new keys created with no custom destroy scheduled duration use the new 30 day default duration. | |
| If you take no action by this date, existing keys where no custom destroy scheduled duration value is specified will be updated to use the new 30-day default. |
Required actions
Choose the actions from the following list that best meet your needs:
To accept the new default destroy scheduled duration of 30 days for existing keys that use the previous default value of 1 day, you don't need to take any action. Existing keys with a destroy scheduled duration of 1 day will automatically be updated to 30 days. This migration is scheduled to begin on May 1, 2024; the migration is expected to be completed within two weeks of that date.
To accept the new default destroy scheduled duration of 30 days for new keys, you don't need to take any action. New keys with no custom destroy scheduled duration specified will be created using the default value of 30 days. You can dismiss the banner in the Google Cloud console.
To retain the previous destroy scheduled duration of 1 day for existing keys (created before February 1, 2024), opt out of updating the default destroy scheduled duration. For detailed instructions, see Opt out of updating existing keys on this page.
To retain the previous destroy scheduled duration of 1 day for new keys, specify 1 day as the destroy scheduled creation during key creation. Set the destroy scheduled duration for all keys created on or after February 1, 2024. For detailed instructions, see Set the duration of the 'scheduled for destruction' state.
Opt out of updating existing keys
To keep the old default for your existing keys, you can opt out your project through the Google Cloud console or gcloud CLI by May 1, 2024.
- Grant yourself the new
cloudkms.locations.optOutKeyDeletionMsaIAM permission. Note that this permission is also part of the existingcloudkms.adminIAM role. Opt out, using any of these methods:
Use the banner on the Key Management page on the Google Cloud console.
Run the
kms key-deletion-opt-outcommand to opt out individual projects:gcloud alpha kms key-deletion-opt-out --project=projects/PROJECT_IDReplace
PROJECT_IDwith the ID of the project.Use a bash script to run the
kms key-deletion-opt-outcommand on all projects in your organization:#!/bin/bash for project_id in $( gcloud asset search-all-resources \ --scope=organizations/ORGANIZATION_ID \ --query="name://cloudresourcemanager.googleapis.com/projects" \ --read-mask=project \ | awk '{ print $2 }' | sed '/^$/d' ); do $(gcloud alpha kms key-deletion-opt-out --project=$project_id) doneReplace
ORGANIZATION_IDwith the ID of your organization.
Undo opt out of updating existing keys
If you opt out by mistake, you can only opt back in using
gcloud CLI, adding the --undo flag at the end of your command. For
example, for a single project, use the following command to undo the
opt out:
gcloud alpha kms key-deletion-opt-out --project=projects/PROJECT_ID --undo
What's new
- Learn more ways to Control key destruction using organization policies.