Key rotation is the act of changing the underlying cryptographic material contained in a key encryption key (KEK). It can be triggered manually, usually after a security incident where keys might have been compromised. Key rotation replaces only the single field in the key that contains the raw encryption/decryption key data.
To rotate the customer-managed encryption keys, perform the following steps:
After a key rotation, new Secrets will be encrypted using the new key. Old Secrets will still be decrypted using old keys. The cluster stores key information along with the cipher to aid decryption after key rotation.
Force the cluster to re-encrypt all secrets using the new key:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-11-11 UTC."],[],[]]
