mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-23 23:51:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
69 lines
2.3 KiB
Plaintext
69 lines
2.3 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: operator rotate - Command
|
|
description: |-
|
|
The "operator rotate" rotates the underlying encryption key which is used to
|
|
secure data written to the storage backend. This installs a new key in the key
|
|
ring. This new key is used to encrypt new data, while older keys in the ring
|
|
are used to decrypt older data.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# operator rotate
|
|
|
|
The `operator rotate` command rotates the underlying encryption key, which
|
|
secures data written to storage. This installs a new key in the key ring.
|
|
This new key encrypts new data, while older keys in the ring decrypt
|
|
older data.
|
|
|
|
This is an online operation and does not cause downtime. This command runs
|
|
per-cluster (not per-server), since Vault servers in HA mode share the same
|
|
storage.
|
|
|
|
As of **Vault 1.7**, Vault will automatically rotate the encryption key before
|
|
reaching 2<sup>32</sup> encryption operations, in adherence with NIST SP800-32D
|
|
guidelines.
|
|
|
|
## Examples
|
|
|
|
Rotate Vault's encryption key:
|
|
|
|
```shell-session
|
|
$ vault operator rotate
|
|
Key Term 3
|
|
Install Time 01 May 17 10:30 UTC
|
|
```
|
|
|
|
View the current automatic rotation policy:
|
|
|
|
```shell-session
|
|
$ vault read sys/rotate/config
|
|
```
|
|
|
|
Configure a time interval for automatic key rotation:
|
|
|
|
```shell-session
|
|
$ vault write sys/rotate/config interval=2160h
|
|
Success! Data written to: sys/rotate/config
|
|
```
|
|
|
|
Configure the maximum number of encryption operations per key:
|
|
|
|
```shell-session
|
|
$ vault write sys/rotate/config max_operations=123456789
|
|
Success! Data written to: sys/rotate/config
|
|
```
|
|
|
|
## Usage
|
|
|
|
The following flags are available in addition to the [standard set of
|
|
flags](/vault/docs/commands) included on all commands.
|
|
|
|
### Output options
|
|
|
|
- `-format` `(string: "table")` - Print the output in the given format. Valid
|
|
formats are "table", "json", or "yaml". This can also be specified via the
|
|
`VAULT_FORMAT` environment variable.
|