Key Rotation

Expanded Definition

Key rotation is the controlled replacement of a credential or cryptographic key with a new one so the older material can no longer be trusted. In NHI security, that means the change has to reach every place the key is stored, embedded, cached, or delegated, not just the issuing system. Guidance varies across vendors on whether rotation alone is sufficient, because effective rotation often depends on immediate revocation, propagation control, and verification after rollout. The distinction matters for service accounts, api key, ssh key, tokens, and certificates, where a stale credential may remain valid long after a new one exists. The OWASP Non-Human Identity Top 10 treats poor secret handling as a core NHI risk area, which is why rotation should be paired with inventory and trust-path review. For lifecycle context, see the NHI Lifecycle Management Guide. The most common misapplication is reissuing a key without removing the old one from all trust stores, which occurs when teams rotate in the vault but leave legacy access intact in applications, CI/CD pipelines, or SSH authorized keys.

Examples and Use Cases

Implementing key rotation rigorously often introduces operational coordination overhead, requiring organisations to weigh reduced exposure against service disruption and rollout complexity.

• Rotating an API key used by a production integration after confirming the application has picked up the new secret and the old key has been revoked everywhere.
• Replacing SSH keys across hosts after offboarding a contractor, then validating that stale authorized_keys entries no longer trust the retired key.
• Rolling certificates for an internal workload identity where short-lived credentials reduce blast radius, but certificate distribution must be synchronized.
• Using rotation as part of a broader response to secret sprawl, as described in the Guide to the Secret Sprawl Challenge.
• Combining rotation with ephemeral credentials in line with the access model discussed by OWASP and the 2024 Non-Human Identity Security Report, which notes that 59.8% of organisations see value in dynamic ephemeral credentials.

Rotation is also used to contain exposure after a secret is found in a ticket, chat thread, or code commit. The key question is not whether a fresh credential exists, but whether every dependent workload has switched cleanly and the old trust path has been closed.

Why It Matters in NHI Security

Key rotation matters because NHIs fail quietly when credentials outlive the systems and assumptions that issued them. Stale keys widen the attack window, complicate incident response, and create false confidence when a vault shows a new value but an old credential still works elsewhere. NHIs are especially vulnerable because they are often duplicated, hardcoded, or shared across applications. In The 2025 State of NHIs and Secrets in Cybersecurity by Entro Security, 91% of former employee tokens remain active after offboarding, showing how often lifecycle controls fail when rotation is not paired with revocation.

For governance teams, rotation is not a calendar exercise; it is evidence that trust has actually been withdrawn. The 2024 Non-Human Identity Security Report also found that 88.5% of organisations say their non-human IAM practices lag behind or are merely on par with human IAM, which helps explain why rotation is frequently under-controlled. Organisations typically encounter the consequences only after a token leak, offboarding event, or service compromise, at which point key rotation becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Secrets Rotation
• What is the difference between key rotation and key retirement?
• When is key rotation not enough for NHI governance?
• How should security teams handle API key rotation for NHI workloads?