`/sys/rotate/keyring`

info

The /sys/rotate/keyring endpoint is available from version v2.4.0.

The /sys/rotate/keyring endpoint is used to rotate the encryption key.

Old endpoint format of /sys/rotate is still supported, although /sys/rotate/keyring is preferred.

Rotate encryption key

This endpoint triggers a rotation of the backend encryption key. This is the key that is used to encrypt data written to the storage backend, which is not provided to the operators. This operation is done online. Future values are encrypted with the new key, while old values are decrypted with previous encryption key.

This path requires sudo capability in addition to update.

Method	Path
`POST`	`/sys/rotate/keyring`
`POST`	`/sys/rotate`

Sample request

New format

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    http://127.0.0.1:8200/v1/sys/rotate/keyring

Old format

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    http://127.0.0.1:8200/v1/sys/rotate

Rotate encryption key​

Sample request​

New format​

Old format​

Rotate encryption key

Sample request

New format

Old format