This is the final installment of the Cryptographic Services APIs article series. Today, I add the Change Master Key (CHGMSTK) command to the set of cryptographic key management commands and functions that I have presented so far. Changing a master key (or any other cryptographic key) is necessary in the event that the key has been compromised, or as part of a key expiration scheme.
The latter is calculated primarily based on the correlation between the key length in bits and the processor power required to run a successful brute-force attack against the key. One way to protect the key is to change a cryptographic key before it is practically possible to break it. This is only one strategy, however, and it should be combined with other defense lines to ensure an overall sufficient level of security in all cryptographic applications and setups.