Key Rotation Schedule Calculator
Cryptographic key rotation is the practice of replacing encryption keys at regular intervals to limit the damage from a key compromise and reduce the volume of data protected by any single key. NIST SP 800-57 Part 1 provides specific cryptoperiod recommendations for different key types and security levels. This calculator takes the last rotation date, the rotation interval in days, and computes the next rotation date, the number of rotations per year, and the days until the next rotation is due. Use this to plan key management operations and set automated rotation reminders.
Key rotation schedule formula
Next rotation date = last rotation date + interval (days)
Days until rotation = next rotation date - today
Rotations per year = 365.25 / interval (days)
NIST SP 800-57 Part 1 Rev 5 Table 1 recommends cryptoperiods by key type. Symmetric data encryption keys: originator usage period up to 2 years, recipient usage period up to 3 years. Keys protecting very large data volumes should be rotated more frequently.
NIST SP 800-57 cryptoperiod guidelines
- Symmetric data encryption keys: up to 2 years originator usage period.
- Symmetric content-encryption keys: typically a single session or a short period.
- Symmetric key-wrapping keys: up to 2 years originator usage period.
- Private signature keys: up to 3 years for 112-bit security (2048-bit RSA).
- TLS certificates: maximum 398 days per CA/Browser Forum Baseline Requirements.
- API keys and service account credentials: 90 days or less is a common best practice.
Key rotation schedule calculator: frequently asked questions
Why should cryptographic keys be rotated?
Key rotation limits the exposure window if a key is compromised. A key used for only 90 days gives an attacker at most 90 days of data access if compromised, versus unlimited access for a non-rotated key. NIST SP 800-57 provides guidance on cryptoperiods based on key type and use.
What is a cryptoperiod?
A cryptoperiod is the time span during which a specific key is authorized for use. NIST SP 800-57 recommends different cryptoperiods for different key types: symmetric data encryption keys (up to 2 years), symmetric authentication keys (up to 2 years), private signature keys (up to 3 years for 112-bit security).
What does NIST recommend for symmetric encryption key rotation?
NIST SP 800-57 Part 1 Section 5.3 recommends that symmetric data encryption keys have a cryptoperiod of 1 to 2 years, depending on the volume of data encrypted and the threat model. Keys protecting large volumes of sensitive data should be rotated more frequently.
How does automatic key rotation work in cloud services?
Cloud KMS services (AWS KMS, Google Cloud KMS, Azure Key Vault) support automatic key rotation. AWS KMS can automatically rotate symmetric CMKs annually. The service re-encrypts the key material while maintaining the same key ID, and prior versions are retained for decryption of existing data.
What is the difference between key rotation and key expiry?
Key rotation creates a new key version and transitions active use to it while retaining old versions for decryption. Key expiry marks a key as unusable after a date. Rotation is a planned, usually automated process; expiry is a hard deadline after which the key cannot be used at all.
Official sources
- NIST SP 800-57 Part 1 Rev 5 Recommendation for Key Management (Table 1 Cryptoperiods): csrc.nist.gov.
- NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems: csrc.nist.gov.
Reviewed by the CalculatorHub team, edited by James Graham, 15 June 2026. See our methodology.