Stale CryptoKeys make encrypted data insecure
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | LOW | Google Cloud Provider | SECRET |
Description
CryptoKeys are used by Google Cloud to encrypt and decrypt data. If a key is compromised, automatic rotation ensures it will not stay relevant for too long, and limit the quantity of data exposed.
Previous versions of the key are kept, so older data can still be accessed.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
If a key is compromised, is not manually revoked, and key rotation is disabled, all newly encrypted data will remain readable with the compromised key.
Remediation guidelines
Enable key rotation with a rotation period of 90 days or less.
If you ever suspect that a key is compromised, revoke it as soon as possible.