# Cryptoperiods and Key Rotation One-sentence definition: Defined lifetime for keys after which they must be rotated to limit exposure and facilitate compromise recovery. ## Key Facts - Base cryptoperiod on data sensitivity, usage volume, algorithm strength. - Separate periods for root, intermediate, leaf, and session keys. - Trigger rotations on compromise, role change, or algorithm deprecation. - Plan for seamless rollover and dual-publish (certs, JWKS). - Maintain key versioning, revocation, and archival as needed. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick appropriate rotation policy by key type. **Mnemonic:** “Age keys out.” ## Mini Scenario Q: Payment tokenization keys unchanged for years—risk/response? A: Excess exposure window; rotate and audit usage. ## Revision Checklist - Define cryptoperiod. - List two rotation triggers. - Versioning/rollover step. ## Related [[Key Management Basics (Asset Security)]] · [[Public Key Infrastructure (PKI) Components]] · [[Certificates, Revocation, and Pinning]] · [[Randomness and DRBGs (Entropy)]] · [[Diffie-Hellman Key Exchange]] · [[Domain 3 - Index]]