Key consistency
Some operations are eventually consistent. The changes they produce take up to three hours to take effect. These operations include:
- Rotating keys (automatically and manually).
- Changing the primary version of a key.
- Changing the key status to
Inactive. - Scheduling a key version for destruction.
- Deleting a key.
The REST API methods encrypt, decrypt, reEncrypt for the SymmetricCrypto resource and the gRPC API calls SymmetricCryptoService/Encrypt, SymmetricCryptoService/Decrypt, and SymmetricCryptoService/ReEncrypt may not see the changes introduced by eventually consistent operations for up to three hours, e.g., encryption will use the old key version if rotation took place less than three hours ago.
Strongly consistent operations take effect without delay:
- Creating keys.
- Changing the key status to
Active. - Canceling scheduled key version destruction (the version status is
Scheduled For Destruction).
Note
To quickly restrict access to a key, revoke the roles required to use the key for encrypting and decrypting data. For more information, see Access management in Key Management Service.