This page describes how to rotate keys for MACsec for Cloud Interconnect.

To rotate keys, you complete the following:

1. Create a new key with a start date after existing keys.
2. Add the new key to your on-premises router.
3. Wait for the new key's start time.
4. Verify that the new key is active.
5. Delete the oldest key.

You can create up to five pre-shared keys with start times that you specify.The keys' start times must be in increasing order, and not within six hours ofthe previous key's start time. To rotate a key that you no longer want to use,you remove the key.

Pre-shared keys don't expire. When you configure more than one key, then allkeys must have a start time configured.

Required roles

To get the permissions that you need to retrieve MACsec keys, ask your administrator to grant you theCompute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

If you choose to use custom roles, ensure that your custom role foradministrating MACsec for Cloud Interconnect includes thecompute.interconnects.getMacsecConfig IAM permission.

Optional: Update existing key start time

If you have a key without a start time and attempt to create a new key,Cloud Interconnect displays an error. To fix the start time, select one ofthe following options to set a start time for the existing key:

gcloud compute interconnects macsec update-keyINTERCONNECT_CONNECTION_NAME \    --key-name=KEY_NAME \    --start-time=START_TIME

Create a new key

1. To add a new key, select one of the following options:

   Console

   1. In the Google Cloud console, go to the Cloud InterconnectPhysical connections tab.

      Go to Physical connections

   2. Select the connection that you want to modify.

   3. On theMACsec tab, go to thePre-shared keys section, and thenclickManaged pre-shared keys.

   4. ClickAdd key.

   5. Specify the details of the pre-shared key:

      • Key Name: a name for the key. This name is displayed in theGoogle Cloud console and is used by the gcloud CLI toreference the key, such aspsk-2.

      • Start time: the time that the key is valid from. Ensure thatthe new pre-shared key's start time is at least six hours afterthe start time of the previous key.

   6. To add additional pre-shared keys, clickAdd key. Consecutivepre-shared keys must have start times at least six hours apart.

   7. ClickSubmit.

   gcloud

   gcloud compute interconnects macsec add-keyINTERCONNECT_CONNECTION_NAME \    --key-name=KEY_NAME \    --start-time="START_TIME"

   Replace the following:

   • INTERCONNECT_CONNECTION_NAME: the name of yourCloud Interconnect connection
   • KEY_NAME: a name for the key
   • START_TIME: the time that this key is valid from inISO 8601 format—for example,2023-07-01T21:00:01.000Z

   As a best practice, we recommend that you set a start time for all keysthat you create for MACsec for Cloud Interconnect.

2. To list existing keys and note the new key's connectivity association key(CAK) and the connectivity association key name (CKN), select one of thefollowing options:

   Console

   1. In thePre-shared keys section, find the name of the pre-sharedkey that you added, then clickView. A window displays theconnectivity association key (CAK) and the connectivityassociation key name (CKN). Clickcontent_copyCopy next to eithervalue to copy the value to your computer's clipboard.

   2. ClickClose.

   gcloud

   gcloud compute interconnects macsec get-configINTERCONNECT_CONNECTION_NAME

   The output is similar to the following:

   preSharedKeys:-name:key1ckn:0101010189abcdef...0123456789abcdefcak:0123456789abcdef...0123456789abcdefstartTime:2023-07-01T12:12:12Z-name:key2ckn:0202020289abcdef...0123456789abcdefcak:0123456889abcdef...0123456789abcdefstartTime:2023-08-01T12:12:12Z

   In this example,key2 is the newly added key.

3. Add the new key's start time, CAK, and CKN values to your on-premisesrouter's configuration.

Google's edge routers use the key with the most recent start time andautomatically switch to the next key as time progresses. All configured keyshave infinite expiration times. This means that to complete a key rotation, youmustremove the old key that you don't want used.

Verify the active key

Complete the following steps:

1. To list existing keys, select one of the following options:

   Console

   1. In the Google Cloud console, go to the Cloud InterconnectPhysical connections tab.

      Go to Physical connections

   2. Select the connection that you want to view.

   3. On theMACsec tab, thePre-shared keys section lists allpre-shared keys for this connection.

   gcloud

   gcloud compute interconnects macsec get-configINTERCONNECT_CONNECTION_NAME

   The output is similar to the following:

   preSharedKeys:-name:key1ckn:0101010189abcdef...0123456789abcdefcak:0123456789abcdef...0123456789abcdefstartTime:2023-07-01T12:12:12Z-name:key2ckn:0202020289abcdef...0123456789abcdefcak:0123456889abcdef...0123456789abcdefstartTime:2023-08-01T12:12:12Z

   Note the CKN value for the key listed before the last key.

2. To verify that the active key is listed before removing the old key, selectone of the following options:

   Console

   • In thePre-shared keys section, verify that the new key displays aKey status ofActive, in use.

   gcloud

   gcloud compute interconnects get-diagnosticsINTERCONNECT_CONNECTION_NAME

   The output is similar to the following; look formacsec:

   bundleAggregationType:BUNDLE_AGGREGATION_TYPE_STATICbundleOperationalStatus:BUNDLE_OPERATIONAL_STATUS_UPlinks:-circuitId:LOOP-0googleDemarc:fake-local-demarc-0lacpStatus:googleSystemId:'00:11:22:33:44:55'neighborSystemId:'55:44:33:22:11:00'state:ACTIVEmacsec:ckn:0202020289abcdef...0123456789abcdefoperational:trueoperationalStatus:LINK_OPERATIONAL_STATUS_UPreceivingOpticalPower:state:OKvalue:-2.49transmittingOpticalPower:state:OKvalue:-0.88macAddress:00:11:22:33:44:55

   Thegcloud compute interconnects get-diagnostics command displaysthe active key's CKN value. If you have more than one key configured, thenthe key with the latest start time is selected as the active key. Google'sedge routers reject any new MACsec sessions that attempt to use the olderkeys.

Remove the old key

As a safety precaution, MACsec for Cloud Interconnect prevents you fromremoving the last active key.

To remove the old key, complete the following steps:

1. Remove the old key from your on-premises router configuration. Thisensures that the old key isn't used by your on-premises router before youdelete the old key from Cloud Interconnect.

2. To remove the old key from your Cloud Interconnect connectionconfiguration, select one of the following options:

   Console

   1. In the Google Cloud console, go to the Cloud InterconnectPhysical connections tab.

      Go to Physical connections

   2. Select the connection that you want to view.

   3. On theMACsec tab, go toPre-shared keys, select thekey you want to delete, and then clickDelete.

   4. In thePre-shared keys section, verify that the new key displaysaKey status ofActive, in use and that the key you wanted todelete is no longer listed.

   gcloud

   1. Run the following command:

      gcloud compute interconnects macsec remove-keyINTERCONNECT_CONNECTION_NAME \    --key-name=KEY_NAME

      Replace the following:

      • INTERCONNECT_CONNECTION_NAME: the name of yourCloud Interconnect connection
      • KEY_NAME: the name of your key

   2. To verify that you removed the correct key, run the following command:

      gcloud compute interconnects macsec get-configINTERCONNECT_CONNECTION_NAME

      The output is similar to the following:

      preSharedKeys:-name:key2ckn:0202020289abcdef...0123456789abcdefcak:0123456889abcdef...0123456789abcdefstartTime:2023-08-01T12:12:12Z

What's next?

• TroubleshootMACsec
• View MACsecstatus
• Get MACseckeys