Stale CryptoKeys make encrypted data insecure
| Severity | Exploitability | Providers | Categories |
|---|---|---|---|
| HIGH | LOW | Google Cloud Provider | SECRET |
Description
CryptoKeys are used by Google Cloud to encrypt and decrypt data. If a key is compromised, automatic rotation ensures it will not stay relevant for too long, and limit the quantity of data exposed.
Previous versions of the key are kept, so older data can still be accessed.
Impact
| Potential data exposure | Visible in logs | User interaction required | Privileges required |
|---|---|---|---|
| True | False | False | False |
If a key is compromised, is not manually revoked, and key rotation is disabled, all newly encrypted data will remain readable with the compromised key.
Remediation guidelines
Enable key rotation with a rotation period of 90 days or less.
If you ever suspect that a key is compromised, revoke it as soon as possible.
References
Was this page helpful?
