Skip to main content
When you create a symmetric key, you can configure a rotation period to rotate key material periodically, but you can also rotate a symmetric key manually. Rotation helps you refresh the cryptographic material behind the key and create a new key version while you continue using the same key resource.

Prerequisites

Make sure you are in a group that has at least the editor role within your tenant or project; for example, the default editors group. Alternatively, you can have an access permit with the editor role assigned to the required key. To check your access rights, go to the Administration → IAM section in the web console.

How to rotate a symmetric key manually

  1. List symmetric keys: 
    nebius kms symmetric-key list
    In the output, copy the ID of the required symmetric key.
  2. Rotate the key: 
    nebius kms symmetric-key rotate <key_ID>
    In the command, specify the ID of the symmetric key. The output looks like the following: 
    metadata:
  id: kmssymkey-e00***
  parent_id: project-e00***
  name: my-symmetric-key
  resource_version: "2"
  created_at: "2026-05-07T10:18:49.623048Z"
  updated_at: "2026-05-07T10:21:17.384632Z"
spec:
  description: test-key
  algorithm: AES_256
  rotation_period: 0s
status:
  state: ACTIVE
    Each time you rotate a key, the resource_version value increases by one.