Skip to main content

Rotate data encryption keys


Rotates all the KMS keys that Vault uses to encrypt properties, tokens, and more.


Key rotation not managed in the hosted version of Vault.

When the keys are rotated, new data is encrypted with the new key. All old keys are retained, so that content encrypted with previous keys can be decipherable.

The role that performs this operation must have the CapKMSWriter capability. See Access control for more information about how capabilities are used to control access to operations.

Possible responses

The request is successful.

Try the API


Navigate to the docs of your local Vault installation to try the API directly from there.

Code examples