Docs- Update info on key rotation (#23274)

* Docs- Update info on key rotation Added a sentence about needing to seal-rewrap if you want to disable or delete old key. * rectified the url for seal-rewrap rectified the url for seal-rewrap * fixed some grammar * Update website/content/docs/configuration/seal/pkcs11.mdx --------- Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-11-28 06:01:08 +01:00 · 2024-05-02 08:42:54 +10:00 · 2024-05-02 08:42:54 +10:00 · c88967abb5
commit c88967abb5
parent 07bfa6bd92
1 changed files with 3 additions and 1 deletions
--- a/website/content/docs/configuration/seal/pkcs11.mdx
+++ b/website/content/docs/configuration/seal/pkcs11.mdx
@ -280,7 +280,9 @@ This seal supports rotating keys by using different key labels to track key vers
 the key value, generate a new key in a different key label in the HSM and update Vault's
 configuration with the new key label value. Restart your vault instance to pick up the new key
 label and all new encryption operations will use the updated key label. Old keys must not be disabled
-or deleted and are used to decrypt older data.
+or deleted and are used to decrypt older data. To disable or delete old keys, Vault needs to
+ perform [seal-rewrap](/vault/api-docs/system/sealwrap-rewrap#start-a-seal-rewrap-process)
+ so  that data encrypted by the old key can be decrypted using the new key. 

 **NOTE**: Prior to version 0.10.1, key information was not tracked with the ciphertext. If
 rotation is desired for data that was seal wrapped prior to this version must also set