Skip to content

Commit

Permalink
Merge branch 'main' into aslamovamir-vault-32330
Browse files Browse the repository at this point in the history
  • Loading branch information
aslamovamir authored Nov 13, 2024
2 parents 5dc2205 + 6b97d82 commit 9805350
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 9 deletions.
3 changes: 0 additions & 3 deletions website/content/docs/commands/operator/rekey.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,6 @@ An unseal key may be provided directly on the command line as an argument to the
command. If key is specified as "-", the command will read from stdin. If a TTY
is available, the command will prompt for text.

Please see the [rotating and rekeying](/vault/tutorials/operations/rekeying-and-rotating) for
step-by-step instructions.

## Examples

Initialize a rekey:
Expand Down
36 changes: 30 additions & 6 deletions website/content/docs/commands/operator/rotate.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,18 @@ description: |-

# operator rotate

The `operator rotate` rotates the underlying encryption key which is used to
secure data written to the storage backend. This installs a new key in the key
ring. This new key is used to encrypted new data, while older keys in the ring
are used to decrypt older data.
The `operator rotate` command rotates the underlying encryption key, which
secures data written to storage. This installs a new key in the key ring.
This new key encrypts new data, while older keys in the ring decrypt
older data.

This is an online operation and does not cause downtime. This command is run
This is an online operation and does not cause downtime. This command runs
per-cluster (not per-server), since Vault servers in HA mode share the same
storage backend.
storage.

As of **Vault 1.7**, Vault will automatically rotate the encryption key before
reaching 2<sup>32</sup> encryption operations, in adherence with NIST SP800-32D
guidelines.

## Examples

Expand All @@ -29,6 +33,26 @@ Key Term 3
Install Time 01 May 17 10:30 UTC
```

View the current automatic rotation policy:

```shell-session
$ vault read sys/rotate/config
```

Configure a time interval for automatic key rotation:

```shell-session
$ vault write sys/rotate/config interval=2160h
Success! Data written to: sys/rotate/config
```

Configure the maximum number of encryption operations per key:

```shell-session
$ vault write sys/rotate/config max_operations=123456789
Success! Data written to: sys/rotate/config
```

## Usage

The following flags are available in addition to the [standard set of
Expand Down

0 comments on commit 9805350

Please sign in to comment.