From afdf42b0b6eab06bf270e6b998651e32cbeb3759 Mon Sep 17 00:00:00 2001
From: Brian Shumate <brianshumate@users.noreply.github.com>
Date: Tue, 12 Nov 2024 13:53:20 -0500
Subject: [PATCH 1/2] Docs: Update rotate encryption key command doc (#28888)

- Add command examples from the tutorial

- Update for linting
---
 .../content/docs/commands/operator/rotate.mdx | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/website/content/docs/commands/operator/rotate.mdx b/website/content/docs/commands/operator/rotate.mdx
index a9de0d0fd489..671b64ffe0dd 100644
--- a/website/content/docs/commands/operator/rotate.mdx
+++ b/website/content/docs/commands/operator/rotate.mdx
@@ -10,14 +10,18 @@ description: |-
 
 # operator rotate
 
-The `operator rotate` rotates the underlying encryption key which is used to
-secure data written to the storage backend. This installs a new key in the key
-ring. This new key is used to encrypted new data, while older keys in the ring
-are used to decrypt older data.
+The `operator rotate` command rotates the underlying encryption key, which
+secures data written to storage. This installs a new key in the key ring. 
+This new key encrypts new data, while older keys in the ring decrypt
+older data.
 
-This is an online operation and does not cause downtime. This command is run
+This is an online operation and does not cause downtime. This command runs
 per-cluster (not per-server), since Vault servers in HA mode share the same
-storage backend.
+storage.
+
+As of **Vault 1.7**, Vault will automatically rotate the encryption key before
+reaching 2<sup>32</sup> encryption operations, in adherence with NIST SP800-32D
+guidelines.
 
 ## Examples
 
@@ -29,6 +33,26 @@ Key Term        3
 Install Time    01 May 17 10:30 UTC
 ```
 
+View the current automatic rotation policy:
+
+```shell-session
+$ vault read sys/rotate/config
+```
+
+Configure a time interval for automatic key rotation:
+
+```shell-session
+$ vault write sys/rotate/config interval=2160h
+Success! Data written to: sys/rotate/config
+```
+
+Configure the maximum number of encryption operations per key:
+
+```shell-session
+$ vault write sys/rotate/config max_operations=123456789
+Success! Data written to: sys/rotate/config
+```
+
 ## Usage
 
 The following flags are available in addition to the [standard set of

From 6b97d822efe32a12307c1825e07a6b49e038259c Mon Sep 17 00:00:00 2001
From: Brian Shumate <brianshumate@users.noreply.github.com>
Date: Tue, 12 Nov 2024 13:53:28 -0500
Subject: [PATCH 2/2] Docs: remove link to deprecated tutorial (#28889)

The rekey and rotate tutorial is being deprecated, so this link
pointing to it needs to be removed.
---
 website/content/docs/commands/operator/rekey.mdx | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/website/content/docs/commands/operator/rekey.mdx b/website/content/docs/commands/operator/rekey.mdx
index 2ff5539a1f5f..c9fa922dc07e 100644
--- a/website/content/docs/commands/operator/rekey.mdx
+++ b/website/content/docs/commands/operator/rekey.mdx
@@ -21,9 +21,6 @@ An unseal key may be provided directly on the command line as an argument to the
 command. If key is specified as "-", the command will read from stdin. If a TTY
 is available, the command will prompt for text.
 
-Please see the [rotating and rekeying](/vault/tutorials/operations/rekeying-and-rotating) for
-step-by-step instructions.
-
 ## Examples
 
 Initialize a rekey: