I'm trying to determine how much risk I'm exposed to by using the same AES-128 key for files.
I tried to understand https://securityncompliance.wordpress.com/2014/04/19/cryptographic-keys-and-their-cryptoperiod-nist-recommendations-2012/ which says something like '>2030' but I don't know what that means.
For example, if a 'would be' hacker had 2,000 of my encrypted files but not the AES-128 key, could he realistically crack it? How about 2 million files?
I agree that website is confusing.
As I understand it, ">2030" means that we expect the AES-128 algorithm to withstand the test of time into the 2030's. That said, this site (linked to by your site) suggests that you change your "Symmetric Data Encryption Key" every "<= 2 years".
Those numbers will be based on the rate of increase in computing power available to crackers. Ie "somewhere in the 2030's, it should be possible for an attacker to brute-force an AES-128 key in less than 2 years of computation.
Of course, that's barring any major breakthrough attacks against AES. It also assumes that the data you're protecting is important enough that someone will be willing to pay the equipment and electricity costs of several years of server farm time in order to get it.
The question about how many files before rotating keys is hard to answer. A better way to measure it is "how many gb of encryption" before rotating keys. As far as I know, NIST is not yet concerned enough to publish maximum amounts of data that can be encrypted with the same key. In this answer, Tom Leek suggests that you should be able to encrypt up to 250 millions of terabytes with the same AES key without any problem. Though this amount would probably be reduced if there is a lot of repetition in your files (ie they all have an identical header block or something).
What NIST has published (see NIST SP 800-38D, section 5.2.1.1) is that you should not encrypt single files larger than 64 gb. The reason for this is that after ~ 64 gb encrypted with the same key and the same initialization vector (IV), you start expecting to see collisions at the block level. As long as your data is in chunks smaller than 64 gb, and you use a unique IV for each chuck, you're fine.
